Improper Restriction of XML External Entity Reference in Apache CXF JAX-RS
High severity
GitHub Reviewed
Published
May 13, 2022
to the GitHub Advisory Database
•
Updated Dec 21, 2023
Package
Affected versions
<= 3.0.11
>= 3.1.0, <= 3.1.8
Patched versions
3.0.12
3.1.9
Description
Published by the National Vulnerability Database
Aug 10, 2017
Published to the GitHub Advisory Database
May 13, 2022
Reviewed
Jul 6, 2022
Last updated
Dec 21, 2023
Credits
-
sunSUNQ Analyst
The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk.
References