[email protected]CVE-2016-8739

HistoryAug 10, 2017 - 6:29 p.m.

CVE-2016-8739

2017-08-1018:29:00

CWE-611

[email protected]

web.nvd.nist.gov

cve-2016-8739

apache cxf

jax-rs

xxe

nvd

security vulnerability

7.8 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:C/I:N/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.3 High

AI Score

Confidence

High

0.006 Low

EPSS

Percentile

77.6%

JSON

The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk.

Affected configurations

Vulners

NVD

Node

apachecxfRange≤3.0.12

CPENameOperatorVersion
apache:cxfapache cxfle3.0.11
apache:cxfapache cxfeq3.1.0
apache:cxfapache cxfeq3.1.1
apache:cxfapache cxfeq3.1.2
apache:cxfapache cxfeq3.1.3
apache:cxfapache cxfeq3.1.4
apache:cxfapache cxfeq3.1.5
apache:cxfapache cxfeq3.1.6
apache:cxfapache cxfeq3.1.7
apache:cxfapache cxfeq3.1.8

CPE	Name	Operator	Version
apache:cxf	apache cxf	le	3.0.11
apache:cxf	apache cxf	eq	3.1.0
apache:cxf	apache cxf	eq	3.1.1
apache:cxf	apache cxf	eq	3.1.2
apache:cxf	apache cxf	eq	3.1.3
apache:cxf	apache cxf	eq	3.1.4
apache:cxf	apache cxf	eq	3.1.5
apache:cxf	apache cxf	eq	3.1.6
apache:cxf	apache cxf	eq	3.1.7
apache:cxf	apache cxf	eq	3.1.8

CNA Affected

[
  {
    "product": "Apache CXF",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "status": "affected",
        "version": "prior to 3.0.12"
      },
      {
        "status": "affected",
        "version": "3.1.x prior to 3.1.9"
      }
    ]
  }
]