RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0818.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2014-08-19T18:00:00

Updated: 2024-08-06T10:43:06.288Z

Reserved: 2014-05-14T00:00:00

Link: CVE-2014-3490

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2014-08-19T18:55:02.013

Modified: 2024-11-21T02:08:13.227

Link: CVE-2014-3490

cve-icon Redhat

Severity : Moderate

Publid Date: 2014-07-23T00:00:00Z

Links: CVE-2014-3490 - Bugzilla