CyberSec.Space Logo
Back to CVE Browser

CVE-2017-14949

HIGH
7.5
CVSS Severity Score
EPSS Score0.1010%
EPSS Percentile23.68th
PublishedNov 30, 2017
Last ModifiedMay 13, 2026

Vulnerability Description

Restlet Framework before 2.3.12 allows remote attackers to access arbitrary files via a crafted REST API HTTP request that conducts an XXE attack, because only general external entities (not parameter external entities) are properly considered. This is related to XmlRepresentation, DOMRepresentation, SaxRepresentation, and JacksonRepresentation.

Affected Platforms (CPE)

πŸ“¦
Restlet

Restlet

< 2.3.12

References & Advisories

πŸ”— https://github.com/restlet/restlet-framework-java/wiki/XEE-security-enhancements
πŸ”— https://lgtm.com/blog/restlet_CVE-2017-14949
πŸ”— https://github.com/restlet/restlet-framework-java/wiki/XEE-security-enhancements
πŸ”— https://lgtm.com/blog/restlet_CVE-2017-14949

Related Vulnerabilities

CVE-2012-26567.5

An XML eXternal Entity (XXE) issue exists in Restlet 1.1.10 in an endpoint using XML transport, which lets a remote attacker obtai...

CVE-2013-42217.5

The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources us...

CVE-2013-42717.5

The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources, w...

CVE-2017-148687.5

Restlet Framework before 2.3.11, when using SimpleXMLProvider, allows remote attackers to access arbitrary files via an XXE attack...