CVE-2011-5245 — Exposure of Sensitive Information to an Unauthorized Actor in RESTEasy

Description

The readFrom function in providers.jaxb.JAXBXmlTypeProvider in RESTEasy before 2.3.2 allows remote attackers to read arbitrary files via an external entity reference in a Java Architecture for XML Binding (JAXB) input, aka an XML external entity (XXE) injection attack, a similar vulnerability to CVE-2012-0818.

How to fix CVE-2011-5245

To remediate CVE-2011-5245, upgrade the affected package to a fixed version below.

Maven/org.jboss.resteasy:resteasy-jaxb-provider—upgrade to 2.3.2 or later

Is CVE-2011-5245 being exploited?

Low — EPSS is 0.9%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.3.2

References (13)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2011-5245
PATCHgithub.com/resteasy/Resteasy
WEBrhn.redhat.com/errata/RHSA-2012-1056.html
WEBrhn.redhat.com/errata/RHSA-2012-1058.html
WEBrhn.redhat.com