{"containers": {"cna": {"affected": [{"product": "HornetQ REST", "vendor": "HornetQ REST", "versions": [{"status": "affected", "version": "Fixed In Version: 2.5.0"}]}], "descriptions": [{"lang": "en", "value": "HornetQ REST is vulnerable to XML External Entity due to insecure configuration of RestEasy"}], "problemTypes": [{"descriptions": [{"description": "XXE due to insecure configuration of RestEasy", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-11-12T13:27:04", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3599"}, {"tags": ["x_refsource_MISC"], "url": "https://access.redhat.com/security/cve/cve-2014-3599"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2014-3599", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "HornetQ REST", "version": {"version_data": [{"version_value": "Fixed In Version: 2.5.0"}]}}]}, "vendor_name": "HornetQ REST"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "HornetQ REST is vulnerable to XML External Entity due to insecure configuration of RestEasy"}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "XXE due to insecure configuration of RestEasy"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3599", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3599"}, {"name": "https://access.redhat.com/security/cve/cve-2014-3599", "refsource": "MISC", "url": "https://access.redhat.com/security/cve/cve-2014-3599"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T10:50:17.655Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3599"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://access.redhat.com/security/cve/cve-2014-3599"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2014-3599", "datePublished": "2019-11-12T13:27:04", "dateReserved": "2014-05-14T00:00:00", "dateUpdated": "2024-08-06T10:50:17.655Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:hornetq:*:*:*:*:*:*:*:*", "matchCriteriaId": "329C7B77-0C3D-4B68-BC50-5016EBC39045", "versionEndIncluding": "2.4.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "HornetQ REST is vulnerable to XML External Entity due to insecure configuration of RestEasy"}, {"lang": "es", "value": "HornetQ REST es vulnerable a un problema de tipo XML External Entity, debido a una configuraci\u00f3n no segura de RestEasy."}], "id": "CVE-2014-3599", "lastModified": "2019-11-14T15:07:26.243", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-11-12T14:15:11.093", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/security/cve/cve-2014-3599"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3599"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Georgi Geshev (MWR Labs) for reporting this issue.", "bugzilla": {"description": "REST: XXE due to insecure configuration of RestEasy", "id": "1130383", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1130383"}, "csaw": false, "cvss": {"cvss_base_score": "4.3", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status": "draft"}, "cwe": "CWE-611", "details": ["HornetQ REST is vulnerable to XML External Entity due to insecure configuration of RestEasy", "It was discovered that HornetQ REST did not set the resteasy.document.expand.entity.references context parameter to false by default. A HornetQ REST application, which does not explicitly set the required context parameter to false, may be vulnerable to XML External Entity (XXE) attacks. A remote attacker able to send XML requests to a HornetQ REST endpoint could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks."], "mitigation": {"lang": "en:us", "value": "When using HornetQ REST in an application, add the following snippet to its web.xml file to disable entity expansion in RESTEasy as used by HornetQ REST endpoints:\n<context-param>\n<param-name>resteasy.document.expand.entity.references</param-name>\n<param-value>false</param-value>\n</context-param>\nNote that this <context-param> setting has precedence over <init-param>, and will override a contrary setting in an <init-param> element."}, "name": "CVE-2014-3599", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Not affected", "package_name": "all", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "hornetq", "product_name": "Red Hat Satellite 6"}], "public_date": "2014-11-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2014-3599\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-3599"], "statement": "Not Vulnerable. HornetQ REST is not provided by any Red Hat product.", "threat_severity": "Moderate", "upstream_fix": "hornetq-rest 2.5.0.Beta1"}