CVE-2014-7839

RESTEasy 2.3.7 and 3.0.9 - XML External Entity Injection in DocumentProvider

Title source: llm
STIX 2.1

Description

DocumentProvider in RESTEasy 2.3.7 and 3.0.9 does not configure the (1) external-general-entities or (2) external-parameter-entities features, which allows remote attackers to conduct XML external entity (XXE) attacks via unspecified vectors.

References (6)

Core 6
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-0675.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-0773.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-0850.html
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/62580
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-0851.html
Vendor Advisory x_refsource_misc
https://issues.jboss.org/browse/RESTEASY-1130

Scores

EPSS 0.0196
EPSS Percentile 77.9%

Details

CWE
CWE-20
Status published
Products (3)
org.jboss.resteasy/resteasy-jaxrs 0 - 3.0.11.FinalMaven
redhat/resteasy 2.3.7
redhat/resteasy 3.0.9
Published Nov 25, 2014
Tracked Since Feb 18, 2026