CVE-2017-14949

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2017-14949

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-14949.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2017-14949

Aliases

GHSA-cvj4-g3gx-8vqq

Related

UBUNTU-CVE-2017-14949

Published

2017-11-30T18:29:00Z

Modified

2024-08-01T08:11:13.575923Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Restlet Framework before 2.3.12 allows remote attackers to access arbitrary files via a crafted REST API HTTP request that conducts an XXE attack, because only general external entities (not parameter external entities) are properly considered. This is related to XmlRepresentation, DOMRepresentation, SaxRepresentation, and JacksonRepresentation.

References

Affected packages

Git / github.com/restlet/restlet-framework-java

Affected ranges

Type: GIT
Repo: https://github.com/restlet/restlet-framework-java
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

84ea79829dc9b0d1d96fa4250b7c9a1eedd5e8f7

Affected versions

2.*

2.2m1

2.2m2

2.2m3

2.2m4

2.2m5

2.2m6

2.2rc3

2.3.0

2.3.1

2.3.10

2.3.11

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

2.3.7

2.3.8

2.3.9

2.3m1

2.3m2

2.3m4

2.3m5

2.3rc1

2.3rc2