CVE-2016-8739

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2016-8739

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-8739.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2016-8739

Aliases

GHSA-x7xf-253v-x3w8

Published

2017-08-10T18:29:00Z

Modified

2024-09-03T01:29:41.394537Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk.

References

Affected packages

Git / github.com/apache/cxf

Affected ranges

Type: GIT
Repo: https://github.com/apache/cxf
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

16d789c4a913e0cac51bcf929331abe84010ce1e

Last affected

32a346e82042e99336732056e2ec81ebc27f075e

Last affected

6c7df35913ce3fc6ec8f5dc6c6074b187f751aa6

Last affected

8632867df4b542aeb158aa8d13d08ff6e31c4b4f

Last affected

a04a1e06f7fffc5f145e33c6832f31b04782516b

Last affected

bc9e3714adc8848f37694eea62d33748b01fbb91

Last affected

bf2f1008a84e03aded4dc2f6b0e1b7560d6a666a

Last affected

cdafd372c60b7e19229d7e6a91fc69b9c5dbc69c

Last affected

f3185100ec7caea0ac4b52108210ed7e68e85271

Last affected

f772a196f03f696d9410e2bfcda8edc75c5a5ce4

Affected versions

cxf-2.*

cxf-2.1

cxf-2.1.2

cxf-2.2

cxf-2.2.1

cxf-2.2.2

cxf-2.3.0

cxf-2.4.0

cxf-2.5.0

cxf-2.5.1

cxf-2.6.0

cxf-2.6.1

cxf-2.7.0

cxf-2.7.1

cxf-2.7.2

cxf-3.*

cxf-3.0.0

cxf-3.0.0-milestone2

cxf-3.0.1

cxf-3.0.10

cxf-3.0.11

cxf-3.0.2

cxf-3.0.3

cxf-3.0.4

cxf-3.0.5

cxf-3.0.6

cxf-3.0.7

cxf-3.0.8

cxf-3.0.9

cxf-3.1.0

cxf-3.1.1

cxf-3.1.2

cxf-3.1.3

cxf-3.1.4