{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-07-19T00:00:00", "descriptions": [{"lang": "en", "value": "RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0818."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-17T09:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/ronsigal/Resteasy/commit/9b7d0f574cafdcf3bea5428f3145ab4908fc6d83"}, {"name": "RHSA-2015:0765", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0765.html"}, {"name": "RHSA-2015:0675", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0675.html"}, {"name": "60019", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/60019"}, {"name": "RHSA-2015:0720", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0720.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/resteasy/Resteasy/pull/521"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/resteasy/Resteasy/pull/533"}, {"name": "RHSA-2014:1039", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2014-1039.html"}, {"name": "69058", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/69058"}, {"name": "RHSA-2015:0125", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0125.html"}, {"name": "RHSA-2014:1040", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2014-1040.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"}, {"name": "RHSA-2014:1011", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2014-1011.html"}, {"name": "RHSA-2014:1298", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2014-1298.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2014-3490", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0818."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/ronsigal/Resteasy/commit/9b7d0f574cafdcf3bea5428f3145ab4908fc6d83", "refsource": "MISC", "url": "https://github.com/ronsigal/Resteasy/commit/9b7d0f574cafdcf3bea5428f3145ab4908fc6d83"}, {"name": "RHSA-2015:0765", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2015-0765.html"}, {"name": "RHSA-2015:0675", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2015-0675.html"}, {"name": "60019", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/60019"}, {"name": "RHSA-2015:0720", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2015-0720.html"}, {"name": "https://github.com/resteasy/Resteasy/pull/521", "refsource": "CONFIRM", "url": "https://github.com/resteasy/Resteasy/pull/521"}, {"name": "https://github.com/resteasy/Resteasy/pull/533", "refsource": "CONFIRM", "url": "https://github.com/resteasy/Resteasy/pull/533"}, {"name": "RHSA-2014:1039", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2014-1039.html"}, {"name": "69058", "refsource": "BID", "url": "http://www.securityfocus.com/bid/69058"}, {"name": "RHSA-2015:0125", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2015-0125.html"}, {"name": "RHSA-2014:1040", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2014-1040.html"}, {"name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"}, {"name": "RHSA-2014:1011", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2014-1011.html"}, {"name": "RHSA-2014:1298", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2014-1298.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T10:43:06.288Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ronsigal/Resteasy/commit/9b7d0f574cafdcf3bea5428f3145ab4908fc6d83"}, {"name": "RHSA-2015:0765", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0765.html"}, {"name": "RHSA-2015:0675", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0675.html"}, {"name": "60019", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/60019"}, {"name": "RHSA-2015:0720", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0720.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/resteasy/Resteasy/pull/521"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/resteasy/Resteasy/pull/533"}, {"name": "RHSA-2014:1039", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2014-1039.html"}, {"name": "69058", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/69058"}, {"name": "RHSA-2015:0125", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0125.html"}, {"name": "RHSA-2014:1040", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2014-1040.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"}, {"name": "RHSA-2014:1011", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2014-1011.html"}, {"name": "RHSA-2014:1298", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2014-1298.html"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2014-3490", "datePublished": "2014-08-19T18:00:00", "dateReserved": "2014-05-14T00:00:00", "dateUpdated": "2024-08-06T10:43:06.288Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "A69B5EA1-06B9-4FAC-A4D7-F1C444D00880", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:resteasy:*:*:*:*:*:*:*:*", "matchCriteriaId": "5303B559-AC77-43BC-94F8-38F985012FE4", "versionEndIncluding": "2.3.7.2", "versionStartIncluding": "2.3.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:resteasy:*:*:*:*:*:*:*:*", "matchCriteriaId": "01641485-D759-47A6-9CBD-D33BD6558855", "versionEndExcluding": "3.0.9", "versionStartIncluding": "3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:resteasy:3.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "03690059-E1AE-4462-B293-4F43B301A67A", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:resteasy:3.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "10AE20C3-AD77-4879-9364-F068D441700A", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:resteasy:3.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "BDA6C489-58EC-4ABC-8463-00042D37B43E", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:resteasy:3.0:beta4:*:*:*:*:*:*", "matchCriteriaId": "07FE38E4-DC56-4D76-9F03-D6C27FE8EDB6", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:resteasy:3.0:beta5:*:*:*:*:*:*", "matchCriteriaId": "9C653811-4E2D-4556-85FE-A54589E11147", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:resteasy:3.0:beta6:*:*:*:*:*:*", "matchCriteriaId": "9AB8BECD-763A-4AB0-9D43-DF3860D2D67A", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:resteasy:3.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "CC6EB5FE-C32B-45D6-B70C-AB5FBD012C8F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0818."}, {"lang": "es", "value": "RESTEasy 2.3.1 anterior a 2.3.8.SP2 y 3.x anterior a 3.0.9, utilizado en Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, no deshabilita entidades externas cuando el par\u00e1metro resteasy.document.expand.entity.references est\u00e1 configurado en falso, lo que permite a atacantes remotos leer ficheros arbitrarios y tener otro impacto no especificado a trav\u00e9s de vectores no especificados, relacionado con un problema de entidad externa XML (XXE). NOTA: este vulnerabilidad existe debido a una soluci\u00f3n incompleta para el CVE-2012-0818."}], "evaluatorComment": "<a href=\"http://cwe.mitre.org/data/definitions/611.html\" rel=\"nofollow\">CWE-611: Improper Restriction of XML External Entity Reference ('XXE')</a>", "id": "CVE-2014-3490", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-08-19T18:55:02.013", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2014-1011.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2014-1039.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2014-1040.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2014-1298.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0125.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0675.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0720.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0765.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://secunia.com/advisories/60019"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/69058"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://github.com/resteasy/Resteasy/pull/521"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://github.com/resteasy/Resteasy/pull/533"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ronsigal/Resteasy/commit/9b7d0f574cafdcf3bea5428f3145ab4908fc6d83"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2014-1011.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2014-1039.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2014-1040.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2014-1298.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0125.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0675.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0720.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0765.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://secunia.com/advisories/60019"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/69058"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/resteasy/Resteasy/pull/521"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/resteasy/Resteasy/pull/533"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ronsigal/Resteasy/commit/9b7d0f574cafdcf3bea5428f3145ab4908fc6d83"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "This issue was discovered by David Jorm (Red Hat Product Security).", "affected_release": [{"advisory": "RHSA-2014:1011", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "resteasy-base-0:2.3.5-3.el7_0", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2014-08-06T00:00:00Z"}, {"advisory": "RHSA-2015:0234", "cpe": "cpe:/a:redhat:jboss_bpms:6.0", "package": "resteasy", "product_name": "Red Hat JBoss BPMS 6.0", "release_date": "2015-02-17T00:00:00Z"}, {"advisory": "RHSA-2015:0235", "cpe": "cpe:/a:redhat:jboss_brms:6.0", "package": "resteasy", "product_name": "Red Hat JBoss BRMS 6.0", "release_date": "2015-02-17T00:00:00Z"}, {"advisory": "RHSA-2014:1298", "cpe": "cpe:/a:redhat:jboss_data_grid:6.3.1", "product_name": "Red Hat JBoss Data Grid 6.3", "release_date": "2014-09-24T00:00:00Z"}, {"advisory": "RHSA-2015:0765", "cpe": "cpe:/a:redhat:jboss_data_virtualization:6.0", "package": "resteasy", "product_name": "Red Hat JBoss Data Virtualization 6.0", "release_date": "2015-03-31T00:00:00Z"}, {"advisory": "RHSA-2015:0675", "cpe": "cpe:/a:redhat:jboss_data_virtualization:6.1", "product_name": "Red Hat JBoss Data Virtualization 6.1", "release_date": "2015-03-11T00:00:00Z"}, {"advisory": "RHSA-2014:1039", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6.3", "package": "resteasy", "product_name": "Red Hat JBoss Enterprise Application Platform 6.3", "release_date": "2014-08-11T00:00:00Z"}, {"advisory": "RHSA-2014:1040", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6::el5", "package": "resteasy-0:2.3.8-5.SP1_redhat_1.1.ep6.el5", "product_name": "Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 5", "release_date": "2014-08-11T00:00:00Z"}, {"advisory": "RHSA-2014:1040", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6::el6", "package": "resteasy-0:2.3.8-5.SP1_redhat_1.1.ep6.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 6", "release_date": "2014-08-11T00:00:00Z"}, {"advisory": "RHSA-2014:1040", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6::el7", "package": "resteasy-0:2.3.8-5.SP1_redhat_1.1.ep6.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7", "release_date": "2014-08-11T00:00:00Z"}, {"advisory": "RHSA-2015:0720", "cpe": "cpe:/a:redhat:jboss_fuse_service_works:6.0", "package": "resteasy", "product_name": "Red Hat JBoss Fuse Service Works 6.0", "release_date": "2015-03-24T00:00:00Z"}, {"advisory": "RHSA-2014:1904", "cpe": "cpe:/a:redhat:jboss_operations_network:3.3", "package": "resteasy", "product_name": "Red Hat JBoss Operations Network 3.3", "release_date": "2014-11-25T00:00:00Z"}, {"advisory": "RHSA-2015:1009", "cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:6.2", "package": "resteasy", "product_name": "Red Hat JBoss Portal 6.2", "release_date": "2015-05-14T00:00:00Z"}, {"advisory": "RHSA-2015:0125", "cpe": "cpe:/a:redhat:jboss_enterprise_web_framework:2.7.0", "package": "resteasy", "product_name": "Red Hat JBoss Web Framework Kit 2.7", "release_date": "2015-02-04T00:00:00Z"}], "bugzilla": {"description": "RESTEasy: XXE via parameter entities", "id": "1107901", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1107901"}, "csaw": false, "cvss": {"cvss_base_score": "5.0", "cvss_scoring_vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status": "verified"}, "cwe": "CWE-611", "details": ["RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0818.", "It was found that the fix for CVE-2012-0818 was incomplete: external parameter entities were not disabled when the resteasy.document.expand.entity.references parameter was set to false. A remote attacker able to send XML requests to a RESTEasy endpoint could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks."], "name": "CVE-2014-3490", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:5", "fix_state": "Will not fix", "package_name": "resteasy", "product_name": "Red Hat JBoss BRMS 5"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:6", "fix_state": "Affected", "package_name": "resteasy", "product_name": "Red Hat JBoss Data Grid 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5", "fix_state": "Will not fix", "package_name": "resteasy", "product_name": "Red Hat JBoss Enterprise Application Platform 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Will not fix", "package_name": "ewp-5", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Not affected", "package_name": "others", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:5", "fix_state": "Will not fix", "package_name": "resteasy", "product_name": "Red Hat JBoss Portal 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:5", "fix_state": "Will not fix", "package_name": "resteasy", "product_name": "Red Hat JBoss SOA Platform 5"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Fix deferred", "package_name": "resteasy", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:rhel_sam:1", "fix_state": "Not affected", "package_name": "candlepin", "product_name": "Red Hat Subscription Asset Manager"}, {"cpe": "cpe:/a:rhel_sam:1", "fix_state": "Affected", "package_name": "resteasy", "product_name": "Red Hat Subscription Asset Manager"}], "public_date": "2014-07-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2014-3490\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-3490"], "threat_severity": "Moderate"}