BID:51748

RESTEasy XML Entity References Information Disclosure Vulnerability

Info

RESTEasy XML Entity References Information Disclosure Vulnerability

Bugtraq ID:	51748
Class:	Design Error
CVE:	CVE-2012-0818
Remote:	Yes
Local:	No
Published:	Jan 31 2012 12:00AM
Updated:	Nov 11 2014 12:59AM
Credit:	Anuj Kathuria
Vulnerable:	RESTEasy RESTEasy 2.3 Red Hat JBoss Enterprise Web Platform 5 EL6 Red Hat JBoss Enterprise Web Platform 5 EL5 Red Hat JBoss Enterprise Web Platform 5 EL4 Red Hat JBoss Enterprise Application Platform 5 EL6 Red Hat JBoss Enterprise Application Platform 5 EL5 Red Hat JBoss Enterprise Application Platform 5 EL4 Red Hat Enterprise Virtualization Manager 2.2.4 Red Hat Enterprise Virtualization Manager 2.2.3 Red Hat Enterprise Virtualization Manager 3.0 Red Hat Enterprise Virtualization Manager 2.2.2 Red Hat Enterprise Virtualization Manager 2.2 Red Hat Enterprise Virtualization Manager 0 JBoss Group JBooss Enterprise SOA Platform 5.1.2

Not Vulnerable:	RESTEasy RESTEasy 2.3.1

Discussion

RESTEasy XML Entity References Information Disclosure Vulnerability

RESTEasy is prone to an information-disclosure vulnerability.

An attacker can exploit this issue to gain access to certain local files. Information obtained may aid in further attacks.

RESTEasy versions prior to 2.3.1 are vulnerable.

Exploit / POC

RESTEasy XML Entity References Information Disclosure Vulnerability

Attackers can use readily available tools to exploit this issue.

Solution / Fix

RESTEasy XML Entity References Information Disclosure Vulnerability

Solution:
Updates are available. Please see the references for more information.

References

RESTEasy XML Entity References Information Disclosure Vulnerability

References:

RESTEasy Homepage (RESTEasy)
RestEASY Release Notes (RestEASY)