XML Entity Expansion Vulnerability in Apache CXF JAX-RS Module
CVE-2016-8739

7.5HIGH

Key Information:

Vendor
Apache
Status
Apache Cxf
Vendor
CVE Published:
10 August 2017

Summary

The JAX-RS module in Apache CXF versions prior to 3.0.12 and 3.1.x prior to 3.1.9 is vulnerable to XML External Entity (XXE) injection. This vulnerability arises due to the presence of MessageBodyReaders that utilize the Apache Abdera Parser, which by default expands XML entities. This expansion can allow an attacker to exploit the system by manipulating XML input, potentially disclosing sensitive information or causing unintended operations. Organizations using affected versions of Apache CXF should take immediate action to upgrade to secure releases to mitigate the risk.

Affected Version(s)

Apache CXF prior to 3.0.12

Apache CXF 3.1.x prior to 3.1.9

References

http://www.securityfocus.com/bid/97579
vdb-entryx_refsource_BID
https://access.redhat.com/errata/RHSA-2017:0868
vendor-advisoryx_refsource_REDHAT
http://www.securitytracker.com/id/1037544
vdb-entryx_refsource_SECTRACK

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.