GHSA-g4jg-gpwv-p7wv

Suggest an improvement
Source
https://github.com/advisories/GHSA-g4jg-gpwv-p7wv
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-g4jg-gpwv-p7wv/GHSA-g4jg-gpwv-p7wv.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-g4jg-gpwv-p7wv
Aliases
  • CVE-2011-5245
Published
2022-05-17T01:50:09Z
Modified
2024-12-05T05:50:45.080189Z
Summary
Exposure of Sensitive Information to an Unauthorized Actor in RESTEasy
Details

The readFrom function in providers.jaxb.JAXBXmlTypeProvider in RESTEasy before 2.3.2 allows remote attackers to read arbitrary files via an external entity reference in a Java Architecture for XML Binding (JAXB) input, aka an XML external entity (XXE) injection attack, a similar vulnerability to CVE-2012-0818.

Database specific 
{
    "cwe_ids": [
        "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-13T18:41:58Z",
    "nvd_published_at": "2012-11-23T20:55:00Z",
    "severity": "MODERATE"
}
References

Affected packages

Maven / org.jboss.resteasy:resteasy-jaxb-provider

Package

Name
org.jboss.resteasy:resteasy-jaxb-provider
View open source insights on deps.dev
Purl
pkg:maven/org.jboss.resteasy/resteasy-jaxb-provider

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.3.2

Affected versions

1.*
1.0-beta-9
1.0-RC1
1.0.0.GA
1.0.1.GA
1.0.2.GA
1.1-RC1
1.1-RC2
1.1.GA
1.2.RC1
1.2.GA
1.2.1.GA
2.*
2.0-beta-1
2.0-beta-2
2.0-beta-3
2.0-beta-4
2.0-RC1
2.0.0.GA
2.0.1.GA
2.1-beta-1
2.1.0.GA
2.2-beta-1
2.2-RC-1
2.2.0.GA
2.2.1.GA
2.2.2.GA
2.2.3.GA
2.3-beta-1
2.3-RC1
2.3.0.GA
2.3.1.GA

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-g4jg-gpwv-p7wv/GHSA-g4jg-gpwv-p7wv.json"