CVE-2017-14949 – org.restlet.jse:org.restlet

Package

Manager: maven
Name: org.restlet.jse:org.restlet
Vulnerable Version: >=0 <2.3.12

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00512 pctl0.65489

Details

Restlet Framework allows remote attackers to access arbitrary files via a crafted REST API HTTP request Restlet Framework before 2.3.12 allows remote attackers to access arbitrary files via a crafted REST API HTTP request that conducts an XXE attack, because only general external entities (not parameter external entities) are properly considered. This is related to XmlRepresentation, DOMRepresentation, SaxRepresentation, and JacksonRepresentation.

Metadata

Created: 2018-10-17T00:04:18Z
Modified: 2022-04-26T21:37:05Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-cvj4-g3gx-8vqq/GHSA-cvj4-g3gx-8vqq.json
CWE IDs: ["CWE-611"]
Alternative ID: GHSA-cvj4-g3gx-8vqq
Finding: F083
Auto approve: 1