RESTEasy Incomplete Fix XML Entity References Information Disclosure Vulnerability
BID:69058
Info
RESTEasy Incomplete Fix XML Entity References Information Disclosure Vulnerability
| Bugtraq ID: | 69058 |
| Class: | Design Error |
| CVE: |
CVE-2014-3490 |
| Remote: | Yes |
| Local: | No |
| Published: | Jul 23 2014 12:00AM |
| Updated: | Oct 17 2018 07:00AM |
| Credit: | David Jorm |
| Vulnerable: |
RESTEasy RESTEasy 2.3 RESTEasy RESTEasy 2.3.2 RESTEasy RESTEasy 2.3.1 Redhat JBoss Enterprise Application Platform 6.3 Redhat JBoss Enterprise Application Platform 6 EL6 Redhat JBoss Enterprise Application Platform 6 EL5 Redhat JBoss Data Grid 6.3 Redhat Enterprise Linux 7 Oracle Enterprise Linux 7 Oracle Communications Performance Intelligence Center (PIC) Software 10.1.5.1 IBM Emptoris Contract Management 10.0.2 2 IBM Emptoris Contract Management 10.0.2 0 IBM Emptoris Contract Management 10.0.2.1 |
| Not Vulnerable: |
RESTEasy RESTEasy 3.0.9 Redhat JBoss Data Grid 6.3.1 Oracle Communications Performance Intelligence Center (PIC) Software 10.2 |
Discussion
RESTEasy Incomplete Fix XML Entity References Information Disclosure Vulnerability
RESTEasy is prone to an information-disclosure vulnerability.
An attacker can exploit this issue to gain access to certain local files. Information obtained may aid in further attacks.
Note: This issue is the result of an incomplete fix for the issue described in BID 51748 (RESTEasy XML Entity References Information Disclosure Vulnerability).
RESTEasy is prone to an information-disclosure vulnerability.
An attacker can exploit this issue to gain access to certain local files. Information obtained may aid in further attacks.
Note: This issue is the result of an incomplete fix for the issue described in BID 51748 (RESTEasy XML Entity References Information Disclosure Vulnerability).
Exploit / POC
RESTEasy Incomplete Fix XML Entity References Information Disclosure Vulnerability
Attackers can use readily available tools to exploit this issue.
Attackers can use readily available tools to exploit this issue.
Solution / Fix
RESTEasy Incomplete Fix XML Entity References Information Disclosure Vulnerability
Solution:
Updates are available. Please see the references for more information.
Solution:
Updates are available. Please see the references for more information.
References
RESTEasy Incomplete Fix XML Entity References Information Disclosure Vulnerability
References:
References:
- RESTEasy Homepage (RESTEasy)
- Moderate: resteasy-base security update (Red Hat)
- JBoss RestEasy vulnerabilities in IBM Emptoris Contract Management (CVE-2014-349 (IBM)
- Moderate: Red Hat JBoss Enterprise Application Platform 6.3.0 security update (Red Hat)
- Moderate: Red Hat JBoss Enterprise Application Platform 6.3.0 security update (Red Hat)
- Oracle Critical Patch Update Advisory - October 2018 (Oracle)
- RESTEasy: XXE via parameter entities (Red Hat)
- RESTEasy: XXE via parameter entities (Red Hat Bugzilla)
- Security Advisory Moderate: Red Hat JBoss Data Grid 6.3.1 update (Red Hat)