#VU41063 Input validation error in Resteasy - CVE-2014-7839

Cybersecurity Help s.r.o.

Published: 2014-11-25 | Updated: 2020-08-09

Vulnerability identifier: #VU41063

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2014-7839

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Resteasy
Other software / Other software solutions

Vendor: resteasy

Description

The vulnerability allows a remote non-authenticated attacker to #BASIC_IMPACT#.

DocumentProvider in RESTEasy 2.3.7 and 3.0.9 does not configure the (1) external-general-entities or (2) external-parameter-entities features, which allows remote attackers to conduct XML external entity (XXE) attacks via unspecified vectors.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Resteasy: 2.3.7 - 3.0.9

External links
https://rhn.redhat.com/errata/RHSA-2015-0675.html
https://rhn.redhat.com/errata/RHSA-2015-0773.html
https://rhn.redhat.com/errata/RHSA-2015-0850.html
https://rhn.redhat.com/errata/RHSA-2015-0851.html
https://secunia.com/advisories/62580
https://issues.jboss.org/browse/RESTEASY-1130

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Input validation error in Resteasy