CVE-2011-1483 — JBossWS vulnerable to uncontrolled recursion

Description

DOMUtils.java in org.jboss.ws:jbossws-common does not properly handle recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted request containing an XML document with a DOCTYPE declaration and a large number of nested entity references, a similar issue to CVE-2003-1564.

How to fix CVE-2011-1483

To remediate CVE-2011-1483, upgrade the affected package to a fixed version below.

Maven/org.jboss.ws:jbossws-common—upgrade to 2.1.0.Final or later

Is CVE-2011-1483 being exploited?

Low — EPSS is 3.7%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.1.0.Final

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2011-1483
PATCHgithub.com/jbossws/jbossws-common
WEBbugzilla.redhat.com/show_bug.cgi?id=692584
WEBsource.jboss.org/changelog/JBossWS/?cs=13996