CVE-2014-3530 – org.picketlink:picketlink-common

Package

Manager: maven
Name: org.picketlink:picketlink-common
Vulnerable Version: >=0 <2.7.0.final

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.02552 pctl0.84933

Details

XML External Entity Reference in org.picketlink:picketlink-common The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 5.2.0 and 6.2.4, expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue.

Metadata

Created: 2022-05-14T03:59:54Z
Modified: 2022-11-01T22:35:51Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-2c9q-qwrc-f486/GHSA-2c9q-qwrc-f486.json
CWE IDs: ["CWE-611"]
Alternative ID: GHSA-2c9q-qwrc-f486
Finding: F083
Auto approve: 1