Skip to main content

Resteasy CVE-2014-7839

MEDIUM
Improper Input Validation (CWE-20)
2014-11-25 secalert@redhat.com
6.4
CVSS 2.0 · NVD
Share

Severity by source

NVD PRIMARY
6.4 MEDIUM
AV:N/AC:L/Au:N/C:P/I:N/A:P

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

AV:N/AC:L/Au:N/C:P/I:N/A:P
Attack Vector
Network
Attack Complexity
Low
Confidentiality
P
Integrity
None
Availability
P

Lifecycle Timeline

1
CVE Published
Nov 25, 2014 - 15:59 cve.org
MEDIUM 6.4

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 160 maven packages depend on org.jboss.resteasy:resteasy-jaxrs (87 direct, 73 indirect)

Ecosystem-wide dependent count for version 3.0.11.Final.

DescriptionCVE.org

DocumentProvider in RESTEasy 2.3.7 and 3.0.9 does not configure the (1) external-general-entities or (2) external-parameter-entities features, which allows remote attackers to conduct XML external entity (XXE) attacks via unspecified vectors.

AnalysisAI

DocumentProvider in RESTEasy 2.3.7 and 3.0.9 does not configure the (1) external-general-entities or (2) external-parameter-entities features, which allows remote attackers to conduct XML external. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity.

Technical ContextAI

This vulnerability is classified under CWE-20. DocumentProvider in RESTEasy 2.3.7 and 3.0.9 does not configure the (1) external-general-entities or (2) external-parameter-entities features, which allows remote attackers to conduct XML external entity (XXE) attacks via unspecified vectors. Affected products include: Redhat Resteasy.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2014-3490 HIGH
7.5 Aug 19

RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3

CVE-2018-1051 HIGH
8.1 Jan 25

It was found that the fix for CVE-2016-9606 in versions 3.0.22 and 3.1.2 was incomplete and Yaml unmarshalling in Restea

CVE-2016-6346 HIGH
7.5 Sep 07

RESTEasy enables GZIPInterceptor, which allows remote attackers to cause a denial of service via unspecified vectors. Ra

CVE-2020-1695 HIGH
7.5 May 19

A flaw was found in all resteasy 3.x.x versions prior to 3.12.0.Final and all resteasy 4.x.x versions prior to 4.6.0.Fin

CVE-2016-6345 MEDIUM
6.5 Sep 07

RESTEasy allows remote authenticated users to obtain sensitive information by leveraging "insufficient use of random val

CVE-2016-6348 MEDIUM
6.1 Apr 12

JacksonJsonpInterceptor in RESTEasy might allow remote attackers to conduct a cross-site script inclusion (XSSI) attack.

CVE-2016-6347 MEDIUM
6.1 Apr 20

Cross-site scripting (XSS) vulnerability in the default exception handler in RESTEasy allows remote attackers to inject

CVE-2021-20293 MEDIUM
6.1 Jun 10

A reflected Cross-Site Scripting (XSS) flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final, where i

CVE-2023-0482 MEDIUM
5.5 Feb 17

In RESTEasy the insecure File.createTempFile() is used in the DataSourceProvider, FileProvider and Mime4JWorkaround clas

CVE-2021-20289 MEDIUM
5.3 Mar 26

A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. Rated medium severity (CVSS 5.3), this vulne

CVE-2020-25633 MEDIUM
5.3 Sep 18

A flaw was found in RESTEasy client in all versions of RESTEasy up to 4.5.6.Final. Rated medium severity (CVSS 5.3), thi

CVE-2012-0818 MEDIUM
5.0 Nov 23

RESTEasy before 2.3.1 allows remote attackers to read arbitrary files via an external entity reference in a DOM document

Share

CVE-2014-7839 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy