CVE-2011-5245 – org.jboss.resteasy:resteasy-jaxb-provider

Package

Manager: maven
Name: org.jboss.resteasy:resteasy-jaxb-provider
Vulnerable Version: >=0 <2.3.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:U/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0095 pctl0.75465

Details

Exposure of Sensitive Information to an Unauthorized Actor in RESTEasy The readFrom function in providers.jaxb.JAXBXmlTypeProvider in RESTEasy before 2.3.2 allows remote attackers to read arbitrary files via an external entity reference in a Java Architecture for XML Binding (JAXB) input, aka an XML external entity (XXE) injection attack, a similar vulnerability to CVE-2012-0818.

Metadata

Created: 2022-05-17T01:50:09Z
Modified: 2022-07-13T18:41:58Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-g4jg-gpwv-p7wv/GHSA-g4jg-gpwv-p7wv.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-g4jg-gpwv-p7wv
Finding: F038
Auto approve: 1