CVE-2014-3530 — XML External Entity Reference in org.picketlink:picketlink-common

Description

The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 5.2.0 and 6.2.4, expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue.

How to fix CVE-2014-3530

To remediate CVE-2014-3530, upgrade the affected package to a fixed version below.

Maven/org.picketlink:picketlink-common—upgrade to 2.7.0.Final or later

Is CVE-2014-3530 being exploited?

Low — EPSS is 2.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.7.0.Final

References (18)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-3530
PATCHgithub.com/picketlink/picketlink
WEBrhn.redhat.com/errata/RHSA-2014-0883.html
WEBrhn.redhat.com/errata/RHSA-2014-0884.html
WEBrhn.redhat.com