cvelistv5 - CVE-2016-8739

URL	Tags
security@apache.org	http://cxf.apache.org/security-advisories.data/CVE-2016-8739.txt.asc	Patch, Vendor Advisory
security@apache.org	http://www.securityfocus.com/bid/97579	Third Party Advisory, VDB Entry
security@apache.org	http://www.securitytracker.com/id/1037544	Third Party Advisory, VDB Entry
security@apache.org	https://access.redhat.com/errata/RHSA-2017:0868
security@apache.org	https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E

▼	Vendor	Product
	Apache Software Foundation	Apache CXF

gsd-2016-8739

Vulnerability from gsd

Modified

2023-12-13 01:21

Details

The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk.

Aliases

CVE-2016-8739

Aliases

CVE-2016-8739

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2016-8739",
    "description": "The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk.",
    "id": "GSD-2016-8739",
    "references": [
      "https://access.redhat.com/errata/RHSA-2017:0868"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2016-8739"
      ],
      "details": "The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk.",
      "id": "GSD-2016-8739",
      "modified": "2023-12-13T01:21:22.170541Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "DATE_PUBLIC": "2016-12-19T00:00:00",
        "ID": "CVE-2016-8739",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Apache CXF",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "prior to 3.0.12"
                        },
                        {
                          "version_value": "3.1.x prior to 3.1.9"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Apache Software Foundation"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "XXE risk"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "97579",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/97579"
          },
          {
            "name": "RHSA-2017:0868",
            "refsource": "REDHAT",
            "url": "https://access.redhat.com/errata/RHSA-2017:0868"
          },
          {
            "name": "1037544",
            "refsource": "SECTRACK",
            "url": "http://www.securitytracker.com/id/1037544"
          },
          {
            "name": "http://cxf.apache.org/security-advisories.data/CVE-2016-8739.txt.asc",
            "refsource": "CONFIRM",
            "url": "http://cxf.apache.org/security-advisories.data/CVE-2016-8739.txt.asc"
          },
          {
            "name": "[cxf-commits] 20200116 svn commit: r1055336 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2019-12423.txt.asc security-advisories.data/CVE-2019-17573.txt.asc security-advisories.html",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E"
          },
          {
            "name": "[cxf-commits] 20200319 svn commit: r1058035 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2019-17573.txt.asc security-advisories.html",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E"
          },
          {
            "name": "[cxf-commits] 20200401 svn commit: r1058573 - in /websites/production/cxf/content: cache/main.pageCache index.html security-advisories.data/CVE-2020-1954.txt.asc security-advisories.html",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E"
          },
          {
            "name": "[cxf-commits] 20201112 svn commit: r1067927 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2020-13954.txt.asc security-advisories.html",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E"
          },
          {
            "name": "[cxf-commits] 20210402 svn commit: r1073270 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2021-22696.txt.asc security-advisories.html",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E"
          },
          {
            "name": "[cxf-commits] 20210616 svn commit: r1075801 - in /websites/production/cxf/content: cache/main.pageCache index.html security-advisories.data/CVE-2021-30468.txt.asc security-advisories.html",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "(,3.0.11],[3.1.0,3.1.8]",
          "affected_versions": "All versions up to 3.0.11, all versions starting from 3.1.0 up to 3.1.8",
          "cvss_v2": "AV:N/AC:L/Au:N/C:C/I:N/A:N",
          "cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-611",
            "CWE-937"
          ],
          "date": "2022-07-06",
          "description": "The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk.",
          "fixed_versions": [
            "3.0.12",
            "3.1.9"
          ],
          "identifier": "CVE-2016-8739",
          "identifiers": [
            "GHSA-x7xf-253v-x3w8",
            "CVE-2016-8739"
          ],
          "not_impacted": "All versions after 3.0.11 before 3.1.0, all versions after 3.1.8",
          "package_slug": "maven/org.apache.cxf/cxf-core",
          "pubdate": "2022-05-13",
          "solution": "Upgrade to versions 3.0.12, 3.1.9 or above.",
          "title": "Improper Restriction of XML External Entity Reference",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2016-8739",
            "https://access.redhat.com/errata/RHSA-2017:0868",
            "https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E",
            "https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E",
            "https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E",
            "https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E",
            "https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E",
            "https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E",
            "http://cxf.apache.org/security-advisories.data/CVE-2016-8739.txt.asc",
            "https://github.com/advisories/GHSA-x7xf-253v-x3w8"
          ],
          "uuid": "b3e861ea-d881-489c-89c5-04cb7d02478f"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:cxf:3.1.5:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:cxf:3.1.6:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:cxf:3.1.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:cxf:3.1.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "3.0.11",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:cxf:3.1.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:cxf:3.1.7:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:cxf:3.1.8:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:cxf:3.1.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:cxf:3.1.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2016-8739"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-611"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://cxf.apache.org/security-advisories.data/CVE-2016-8739.txt.asc",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "http://cxf.apache.org/security-advisories.data/CVE-2016-8739.txt.asc"
            },
            {
              "name": "1037544",
              "refsource": "SECTRACK",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securitytracker.com/id/1037544"
            },
            {
              "name": "97579",
              "refsource": "BID",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/bid/97579"
            },
            {
              "name": "RHSA-2017:0868",
              "refsource": "REDHAT",
              "tags": [],
              "url": "https://access.redhat.com/errata/RHSA-2017:0868"
            },
            {
              "name": "[cxf-commits] 20200116 svn commit: r1055336 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2019-12423.txt.asc security-advisories.data/CVE-2019-17573.txt.asc security-advisories.html",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E"
            },
            {
              "name": "[cxf-commits] 20200319 svn commit: r1058035 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2019-17573.txt.asc security-advisories.html",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E"
            },
            {
              "name": "[cxf-commits] 20200401 svn commit: r1058573 - in /websites/production/cxf/content: cache/main.pageCache index.html security-advisories.data/CVE-2020-1954.txt.asc security-advisories.html",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E"
            },
            {
              "name": "[cxf-commits] 20201112 svn commit: r1067927 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2020-13954.txt.asc security-advisories.html",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E"
            },
            {
              "name": "[cxf-commits] 20210402 svn commit: r1073270 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2021-22696.txt.asc security-advisories.html",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E"
            },
            {
              "name": "[cxf-commits] 20210616 svn commit: r1075801 - in /websites/production/cxf/content: cache/main.pageCache index.html security-advisories.data/CVE-2021-30468.txt.asc security-advisories.html",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 7.8,
            "confidentialityImpact": "COMPLETE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2021-06-16T12:15Z",
      "publishedDate": "2017-08-10T18:29Z"
    }
  }
}

rhsa-2017_0868

Vulnerability from csaf_redhat

Published

2017-04-03 21:02

Modified

2024-11-05 19:57

Summary

Red Hat Security Advisory: Red Hat JBoss Fuse/A-MQ 6.3 R2 security and bug fix update

Notes

Topic

An update is now available for Red Hat JBoss Fuse and Red Hat JBoss A-MQ. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant messaging system that is tailored for use in mission critical applications. This patch is an update to Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ 6.3. It includes bug fixes and enhancements, which are documented in the readme.txt file included with the patch files. Security Fix(es): * It was reported that Elasticsearch had vulnerabilities in the Groovy scripting engine, which allow an attacker to construct scripts that escape the sandbox and execute shell commands as the user running the Elasticsearch Java VM. (CVE-2015-1427) * It was found that a flaw in Apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. (CVE-2016-6814) * It was found that Apache Commons HttpClient does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. (CVE-2012-5783) * It was found that swagger-ui contains a cross site scripting (XSS) vulnerability in the key names in the JSON document. An attacker could use this flaw to supply a key name with script tags which could cause arbitrary code execution. Additionally it is possible to load the arbitrary JSON files remotely via the URL query-string parameter. (CVE-2016-1000229) * A vulnerability was found in FormattedServiceListWriter in Apache CXF HTTP transport module that could allow an attacker to inject unexpected matrix parameters into the request URL. On a successful injection these matrix parameters will find their way back to the client in the services list page which represents an XSS risk to the client. (CVE-2016-6812) * Apache CXF JAX-RS implementation provides a number of Atom MessageBodyReaders. These readers use Apache Abdera Parser to parse Atom feeds or Entries, with this Parser expanding XML entities by default. It was found that this represents a major XXE risk. (CVE-2016-8739) * A path traversal issue was found in Spark version 2.5 and potentially earlier versions. The vulnerability resides in the functionality to serve static files where there's no protection against directory traversal attacks. This could allow attackers access to private files including sensitive data. (CVE-2016-9177) * It was found that the camel-snakeyaml component is exploitable for code execution. An attacker could use this vulnerability to send specially crafted payload to a camel-snakeyaml endpoint and causing a remote code execution attack. (CVE-2017-3159)

Terms of Use

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update is now available for Red Hat JBoss Fuse and Red Hat JBoss A-MQ.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant messaging system that is tailored for use in mission critical applications.\n\nThis patch is an update to Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ 6.3. It includes bug fixes and enhancements, which are documented in the readme.txt file included with the patch files.\n\nSecurity Fix(es):\n\n* It was reported that Elasticsearch had vulnerabilities in the Groovy scripting engine, which allow an attacker to construct scripts that escape the sandbox and execute shell commands as the user running the Elasticsearch Java VM. (CVE-2015-1427)\n\n* It was found that a flaw in Apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. (CVE-2016-6814)\n\n* It was found that Apache Commons HttpClient does not verify that the server hostname matches a domain name in the subject\u0027s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. (CVE-2012-5783)\n\n* It was found that swagger-ui contains a cross site scripting (XSS) vulnerability in the key names in the JSON document. An attacker could use this flaw to supply a key name with script tags which could cause arbitrary code execution. Additionally it is possible to load the arbitrary JSON files remotely via the URL query-string parameter. (CVE-2016-1000229)\n\n* A vulnerability was found in FormattedServiceListWriter in Apache CXF HTTP transport module that could allow an attacker to inject unexpected matrix parameters into the request URL. On a successful injection these matrix parameters will find their way back to the client in the services list page which represents an XSS risk to the client. (CVE-2016-6812)\n\n* Apache CXF JAX-RS implementation provides a number of Atom MessageBodyReaders. These readers use Apache Abdera Parser to parse Atom feeds or Entries, with this Parser expanding XML entities by default. It was found that this represents a major XXE risk. (CVE-2016-8739)\n\n* A path traversal issue was found in Spark version 2.5 and potentially earlier versions. The vulnerability resides in the functionality to serve static files where there\u0027s no protection against directory traversal attacks. This could allow attackers access to private files including sensitive data. (CVE-2016-9177)\n\n* It was found that the camel-snakeyaml component is exploitable for code execution. An attacker could use this vulnerability to send specially crafted payload to a camel-snakeyaml endpoint and causing a remote code execution attack. (CVE-2017-3159)",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2017:0868",
        "url": "https://access.redhat.com/errata/RHSA-2017:0868"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=jboss.fuse\u0026version=6.3",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=jboss.fuse\u0026version=6.3"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=jboss.amq.broker\u0026version=6.3.0",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=jboss.amq.broker\u0026version=6.3.0"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en/red-hat-jboss-fuse/",
        "url": "https://access.redhat.com/documentation/en/red-hat-jboss-fuse/"
      },
      {
        "category": "external",
        "summary": "873317",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=873317"
      },
      {
        "category": "external",
        "summary": "1191969",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1191969"
      },
      {
        "category": "external",
        "summary": "1360275",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1360275"
      },
      {
        "category": "external",
        "summary": "1393607",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1393607"
      },
      {
        "category": "external",
        "summary": "1406810",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1406810"
      },
      {
        "category": "external",
        "summary": "1406811",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1406811"
      },
      {
        "category": "external",
        "summary": "1413466",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1413466"
      },
      {
        "category": "external",
        "summary": "1420834",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1420834"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_0868.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat JBoss Fuse/A-MQ 6.3 R2 security and bug fix update",
    "tracking": {
      "current_release_date": "2024-11-05T19:57:39+00:00",
      "generator": {
        "date": "2024-11-05T19:57:39+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.1.1"
        }
      },
      "id": "RHSA-2017:0868",
      "initial_release_date": "2017-04-03T21:02:28+00:00",
      "revision_history": [
        {
          "date": "2017-04-03T21:02:28+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2018-07-02T15:51:20+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-05T19:57:39+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss A-MQ 6.3",
                "product": {
                  "name": "Red Hat JBoss A-MQ 6.3",
                  "product_id": "Red Hat JBoss A-MQ 6.3",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_amq:6.3"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat JBoss Fuse 6.3",
                "product": {
                  "name": "Red Hat JBoss Fuse 6.3",
                  "product_id": "Red Hat JBoss Fuse 6.3",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_fuse:6.3"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Fuse"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2012-5783",
      "discovery_date": "2012-11-04T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "873317"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was found that Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject\u0027s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss A-MQ 6.3",
          "Red Hat JBoss Fuse 6.3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2012-5783"
        },
        {
          "category": "external",
          "summary": "RHBZ#873317",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=873317"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2012-5783",
          "url": "https://www.cve.org/CVERecord?id=CVE-2012-5783"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-5783",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5783"
        }
      ],
      "release_date": "2012-10-16T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2017-04-03T21:02:28+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat JBoss A-MQ 6.3",
            "Red Hat JBoss Fuse 6.3"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2017:0868"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.0"
          },
          "products": [
            "Red Hat JBoss A-MQ 6.3",
            "Red Hat JBoss Fuse 6.3"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name"
    },
    {
      "cve": "CVE-2015-1427",
      "discovery_date": "2015-02-12T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1191969"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was reported that Elasticsearch versions 1.3.0-1.3.7 and 1.4.0-1.4.2 have vulnerabilities in the Groovy scripting engine. The vulnerability allows an attacker to construct Groovy scripts that escape the sandbox and execute shell commands as the user running the Elasticsearch Java VM.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "elasticsearch: remote code execution via Groovy sandbox bypass",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss A-MQ 6.3",
          "Red Hat JBoss Fuse 6.3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2015-1427"
        },
        {
          "category": "external",
          "summary": "RHBZ#1191969",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1191969"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2015-1427",
          "url": "https://www.cve.org/CVERecord?id=CVE-2015-1427"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-1427",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-1427"
        },
        {
          "category": "external",
          "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
          "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
        }
      ],
      "release_date": "2015-02-11T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2017-04-03T21:02:28+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat JBoss A-MQ 6.3",
            "Red Hat JBoss Fuse 6.3"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2017:0868"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
            "version": "3.0"
          },
          "products": [
            "Red Hat JBoss A-MQ 6.3",
            "Red Hat JBoss Fuse 6.3"
          ]
        }
      ],
      "threats": [
        {
          "category": "exploit_status",
          "date": "2022-03-25T00:00:00+00:00",
          "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
        },
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "elasticsearch: remote code execution via Groovy sandbox bypass"
    },
    {
      "cve": "CVE-2015-7559",
      "cwe": {
        "id": "CWE-306",
        "name": "Missing Authentication for Critical Function"
      },
      "discovery_date": "2015-07-19T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1293972"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was found that the Apache ActiveMQ client exposed a remote shutdown command in the ActiveMQConnection class. An attacker logged into a compromised broker could use this flaw to achieve denial of service on a connected client.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "ActiveMQ: DoS in client via shutdown command",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss A-MQ 6.3",
          "Red Hat JBoss Fuse 6.3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2015-7559"
        },
        {
          "category": "external",
          "summary": "RHBZ#1293972",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1293972"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2015-7559",
          "url": "https://www.cve.org/CVERecord?id=CVE-2015-7559"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-7559",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-7559"
        }
      ],
      "release_date": "2017-04-19T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2017-04-03T21:02:28+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat JBoss A-MQ 6.3",
            "Red Hat JBoss Fuse 6.3"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2017:0868"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 2.6,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 2.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.0"
          },
          "products": [
            "Red Hat JBoss A-MQ 6.3",
            "Red Hat JBoss Fuse 6.3"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "ActiveMQ: DoS in client via shutdown command"
    },
    {
      "cve": "CVE-2016-6812",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "discovery_date": "2016-12-19T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1406810"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability was found in FormattedServiceListWriter in Apache CXF HTTP transport module that could allow an attacker to inject unexpected matrix parameters into the request URL. On a successful injection these matrix parameters will find their way back to the client in the services list page which represents an XSS risk to the client.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "apache-cxf: XSS in Apache CXF FormattedServiceListWriter",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss A-MQ 6.3",
          "Red Hat JBoss Fuse 6.3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2016-6812"
        },
        {
          "category": "external",
          "summary": "RHBZ#1406810",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1406810"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2016-6812",
          "url": "https://www.cve.org/CVERecord?id=CVE-2016-6812"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-6812",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6812"
        },
        {
          "category": "external",
          "summary": "http://cxf.apache.org/security-advisories.data/CVE-2016-6812.txt.asc?version=1\u0026modificationDate=1482164360602\u0026api=v2",
          "url": "http://cxf.apache.org/security-advisories.data/CVE-2016-6812.txt.asc?version=1\u0026modificationDate=1482164360602\u0026api=v2"
        }
      ],
      "release_date": "2016-12-19T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2017-04-03T21:02:28+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat JBoss A-MQ 6.3",
            "Red Hat JBoss Fuse 6.3"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2017:0868"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          },
          "products": [
            "Red Hat JBoss A-MQ 6.3",
            "Red Hat JBoss Fuse 6.3"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "apache-cxf: XSS in Apache CXF FormattedServiceListWriter"
    },
    {
      "cve": "CVE-2016-6814",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2017-01-12T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1413466"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was found that a flaw in Apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Groovy: Remote code execution via deserialization",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue affects the versions of groovy as shipped with Red Hat Satellite 6.0 and 6.1. Red Hat Satellite 6.2 and later do not ship groovy, as such they are not affected by this vulnerability.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss A-MQ 6.3",
          "Red Hat JBoss Fuse 6.3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2016-6814"
        },
        {
          "category": "external",
          "summary": "RHBZ#1413466",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1413466"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2016-6814",
          "url": "https://www.cve.org/CVERecord?id=CVE-2016-6814"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-6814",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6814"
        }
      ],
      "release_date": "2017-01-14T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2017-04-03T21:02:28+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat JBoss A-MQ 6.3",
            "Red Hat JBoss Fuse 6.3"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2017:0868"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.6,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "Red Hat JBoss A-MQ 6.3",
            "Red Hat JBoss Fuse 6.3"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "Groovy: Remote code execution via deserialization"
    },
    {
      "cve": "CVE-2016-8739",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "discovery_date": "2016-12-19T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1406811"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Apache CXF JAX-RS implementation provides a number of Atom MessageBodyReaders. These readers use Apache Abdera Parser to parse Atom feeds or Entries, with this Parser expanding XML entities by default. It was found that this represents a major XXE risk.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "apache-cxf: Atom entity provider of Apache CXF JAX-RS is vulnerable to XXE",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss A-MQ 6.3",
          "Red Hat JBoss Fuse 6.3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2016-8739"
        },
        {
          "category": "external",
          "summary": "RHBZ#1406811",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1406811"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2016-8739",
          "url": "https://www.cve.org/CVERecord?id=CVE-2016-8739"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-8739",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-8739"
        },
        {
          "category": "external",
          "summary": "http://cxf.apache.org/security-advisories.data/CVE-2016-8739.txt.asc?version=1\u0026modificationDate=1482164360575\u0026api=v2",
          "url": "http://cxf.apache.org/security-advisories.data/CVE-2016-8739.txt.asc?version=1\u0026modificationDate=1482164360575\u0026api=v2"
        }
      ],
      "release_date": "2016-12-19T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2017-04-03T21:02:28+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat JBoss A-MQ 6.3",
            "Red Hat JBoss Fuse 6.3"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2017:0868"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
            "version": "2.0"
          },
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
            "version": "3.0"
          },
          "products": [
            "Red Hat JBoss A-MQ 6.3",
            "Red Hat JBoss Fuse 6.3"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "apache-cxf: Atom entity provider of Apache CXF JAX-RS is vulnerable to XXE"
    },
    {
      "cve": "CVE-2016-9177",
      "discovery_date": "2016-11-02T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1393607"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A path traversal issue was found in Spark version 2.5 and potentially earlier versions. The vulnerability resides in the functionality to serve static files where there\u0027s no protection against directory traversal attacks. This could allow attackers access to private files including sensitive data.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Spark: Directory traversal vulnerability in version 2.5",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss A-MQ 6.3",
          "Red Hat JBoss Fuse 6.3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2016-9177"
        },
        {
          "category": "external",
          "summary": "RHBZ#1393607",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1393607"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2016-9177",
          "url": "https://www.cve.org/CVERecord?id=CVE-2016-9177"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-9177",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9177"
        },
        {
          "category": "external",
          "summary": "http://seclists.org/fulldisclosure/2016/Nov/13",
          "url": "http://seclists.org/fulldisclosure/2016/Nov/13"
        }
      ],
      "release_date": "2016-11-04T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2017-04-03T21:02:28+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat JBoss A-MQ 6.3",
            "Red Hat JBoss Fuse 6.3"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2017:0868"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "Red Hat JBoss A-MQ 6.3",
            "Red Hat JBoss Fuse 6.3"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "Spark: Directory traversal vulnerability in version 2.5"
    },
    {
      "cve": "CVE-2016-1000229",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "discovery_date": "2016-07-21T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1360275"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was found that swagger-ui contains a cross site scripting (XSS) vulnerability in the key names in the JSON document. An attacker could use this flaw to supply a key name with script tags which could cause arbitrary code execution. Additionally it is possible to load the arbitrary JSON files remotely via the URL query-string parameter.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "swagger-ui: cross-site scripting in key names",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss A-MQ 6.3",
          "Red Hat JBoss Fuse 6.3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2016-1000229"
        },
        {
          "category": "external",
          "summary": "RHBZ#1360275",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1360275"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2016-1000229",
          "url": "https://www.cve.org/CVERecord?id=CVE-2016-1000229"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000229",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000229"
        },
        {
          "category": "external",
          "summary": "https://nodesecurity.io/advisories/126",
          "url": "https://nodesecurity.io/advisories/126"
        }
      ],
      "release_date": "2016-07-21T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2017-04-03T21:02:28+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat JBoss A-MQ 6.3",
            "Red Hat JBoss Fuse 6.3"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2017:0868"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          },
          "products": [
            "Red Hat JBoss A-MQ 6.3",
            "Red Hat JBoss Fuse 6.3"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "swagger-ui: cross-site scripting in key names"
    },
    {
      "cve": "CVE-2017-3159",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2017-02-08T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1420834"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was found that the camel-snakeyaml component is exploitable for code execution. An attacker could use this vulnerability to send specially crafted payload to a camel-snakeyaml endpoint and causing a remote code execution attack.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "camel-snakeyaml: Unmarshalling operation is vulnerable to RCE",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss A-MQ 6.3",
          "Red Hat JBoss Fuse 6.3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2017-3159"
        },
        {
          "category": "external",
          "summary": "RHBZ#1420834",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1420834"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2017-3159",
          "url": "https://www.cve.org/CVERecord?id=CVE-2017-3159"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-3159",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-3159"
        },
        {
          "category": "external",
          "summary": "http://camel.apache.org/security-advisories.data/CVE-2017-3159.txt.asc",
          "url": "http://camel.apache.org/security-advisories.data/CVE-2017-3159.txt.asc"
        }
      ],
      "release_date": "2016-12-08T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2017-04-03T21:02:28+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat JBoss A-MQ 6.3",
            "Red Hat JBoss Fuse 6.3"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2017:0868"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "Red Hat JBoss A-MQ 6.3",
            "Red Hat JBoss Fuse 6.3"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "camel-snakeyaml: Unmarshalling operation is vulnerable to RCE"
    }
  ]
}

ghsa-x7xf-253v-x3w8

Vulnerability from github

Published

2022-05-13 01:09

Modified

2023-12-21 22:58

Severity ?

7.5 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

Improper Restriction of XML External Entity Reference in Apache CXF JAX-RS

Details

The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.11"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.cxf:cxf-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.1.8"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.cxf:cxf-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1.0"
            },
            {
              "fixed": "3.1.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2016-8739"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-06T19:47:38Z",
    "nvd_published_at": "2017-08-10T18:29:00Z",
    "severity": "HIGH"
  },
  "details": "The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk.",
  "id": "GHSA-x7xf-253v-x3w8",
  "modified": "2023-12-21T22:58:21Z",
  "published": "2022-05-13T01:09:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-8739"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/cxf/commit/8e4970d9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/cxf/commit/9deb2d17"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:0868"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/cxf"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "http://cxf.apache.org/security-advisories.data/CVE-2016-8739.txt.asc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Restriction of XML External Entity Reference in Apache CXF JAX-RS"
}

Action not permitted

CVE-2016-8739

Vulnerability from cvelistv5

gsd-2016-8739

Vulnerability from gsd

rhsa-2017_0868

Vulnerability from csaf_redhat

ghsa-x7xf-253v-x3w8

Vulnerability from github

Tags