CVE-2016-8739 — Improper Restriction of XML External Entity Reference in Apache CXF JAX-RS

Description

The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk.

How to fix CVE-2016-8739

To remediate CVE-2016-8739, upgrade the affected package to a fixed version below.

—upgrade to 3.0.12 or later

Is CVE-2016-8739 being exploited?

Low — EPSS is 2.7%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 3.0.12

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (12)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-8739
WEBcxf.apache.org/security-advisories.data/CVE-2016-8739.txt.asc
WEBaccess.redhat.com/errata/RHSA-2017:0868
WEBgithub.com/apache/cxf
WEB