CVE-2016-8739

CVSS v3.0 7.5 (High)

CVSS v2.0 7.8 (High)

EPSS 0.55 % (78^th)

Affected Products 1

Advisories 2

The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk.

Weaknesses

CWE-611: Improper Restriction of XML External Entity Reference

CVE Status: PUBLISHED
CNA: Apache Software Foundation
Published Date: 2017-08-10 18:29:00
(7 years ago)
Updated Date: 2023-11-07 02:36:28
(10 months ago)

Affected Products

Apache

Configuration #1

	CPE23	Up To
Apache Cxf 3.0.11 and prior versions	cpe:2.3:a:apache:cxf	<= 3.0.11
Apache Cxf 3.1.0	cpe:2.3:a:apache:cxf:3.1.0
Apache Cxf 3.1.1	cpe:2.3:a:apache:cxf:3.1.1
Apache Cxf 3.1.2	cpe:2.3:a:apache:cxf:3.1.2
Apache Cxf 3.1.3	cpe:2.3:a:apache:cxf:3.1.3
Apache Cxf 3.1.4	cpe:2.3:a:apache:cxf:3.1.4
Apache Cxf 3.1.5	cpe:2.3:a:apache:cxf:3.1.5
Apache Cxf 3.1.6	cpe:2.3:a:apache:cxf:3.1.6
Apache Cxf 3.1.7	cpe:2.3:a:apache:cxf:3.1.7
Apache Cxf 3.1.8	cpe:2.3:a:apache:cxf:3.1.8