Restlet Framework Ja-rs extension is vulnerable to XXE when using SimpleXMLProvider

2018-10-1700:04:31

Google

osv.dev

EPSS

0.003

Percentile

65.3%

JSON

Restlet Framework before 2.3.11, when using SimpleXMLProvider, allows remote attackers to access arbitrary files via an XXE attack in a REST API HTTP request. This affects use of the Jax-rs extension.

References

github.com/advisories/GHSA-2mp8-qvqm-3xwq

github.com/restlet/restlet-framework-java

github.com/restlet/restlet-framework-java/issues/1286

github.com/restlet/restlet-framework-java/wiki/XEE-security-enhancements

lgtm.com/blog/restlet_CVE-2017-14868

nvd.nist.gov/vuln/detail/CVE-2017-14868

EPSS

0.003

Percentile

65.3%

JSON

Related for OSV:GHSA-2MP8-QVQM-3XWQ