GHSA-x7xf-253v-x3w8

Source

https://github.com/advisories/GHSA-x7xf-253v-x3w8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-x7xf-253v-x3w8/GHSA-x7xf-253v-x3w8.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-x7xf-253v-x3w8

Aliases

CVE-2016-8739

Published

2022-05-13T01:09:20Z

Modified

2024-02-22T05:32:37.182266Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Improper Restriction of XML External Entity Reference in Apache CXF JAX-RS

Details

The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk.

Database specific

{
    "nvd_published_at": "2017-08-10T18:29:00Z",
    "cwe_ids": [
        "CWE-611"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-06T19:47:38Z"
}

References

Affected packages

Maven / org.apache.cxf:cxf-core

Package

Name: org.apache.cxf:cxf-core; View open source insights on deps.dev
Purl: pkg:maven/org.apache.cxf/cxf-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.0.12

Affected versions

3.*

3.0.0-milestone1

3.0.0-milestone2

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.0.8

3.0.9

3.0.10

3.0.11

Database specific

{
    "last_known_affected_version_range": "<= 3.0.11"
}

Maven / org.apache.cxf:cxf-core

Package

Name: org.apache.cxf:cxf-core; View open source insights on deps.dev
Purl: pkg:maven/org.apache.cxf/cxf-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.9

Affected versions

3.*

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

Database specific

{
    "last_known_affected_version_range": "<= 3.1.8"
}