GHSA-g4jg-gpwv-p7wv

Source

https://github.com/advisories/GHSA-g4jg-gpwv-p7wv

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-g4jg-gpwv-p7wv/GHSA-g4jg-gpwv-p7wv.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-g4jg-gpwv-p7wv

Aliases

CVE-2011-5245

Published

2022-05-17T01:50:09Z

Modified

2024-12-05T05:50:45.080189Z

Summary

Exposure of Sensitive Information to an Unauthorized Actor in RESTEasy

Details

The readFrom function in providers.jaxb.JAXBXmlTypeProvider in RESTEasy before 2.3.2 allows remote attackers to read arbitrary files via an external entity reference in a Java Architecture for XML Binding (JAXB) input, aka an XML external entity (XXE) injection attack, a similar vulnerability to CVE-2012-0818.

Database specific

{
    "nvd_published_at": "2012-11-23T20:55:00Z",
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-13T18:41:58Z"
}

References

Affected packages

Maven / org.jboss.resteasy:resteasy-jaxb-provider

Package

Name: org.jboss.resteasy:resteasy-jaxb-provider; View open source insights on deps.dev
Purl: pkg:maven/org.jboss.resteasy/resteasy-jaxb-provider

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.3.2

Affected versions

1.*

1.0-beta-9

1.0-RC1

1.0.0.GA

1.0.1.GA

1.0.2.GA

1.1-RC1

1.1-RC2

1.1.GA

1.2.RC1

1.2.GA

1.2.1.GA

2.*

2.0-beta-1

2.0-beta-2

2.0-beta-3

2.0-beta-4

2.0-RC1

2.0.0.GA

2.0.1.GA

2.1-beta-1

2.1.0.GA

2.2-beta-1

2.2-RC-1

2.2.0.GA

2.2.1.GA

2.2.2.GA

2.2.3.GA

2.3-beta-1

2.3-RC1

2.3.0.GA

2.3.1.GA