CVE-2017-14949 — Restlet Framework allows remote attackers to access arbitrary files via a crafte

Description

Restlet Framework before 2.3.12 allows remote attackers to access arbitrary files via a crafted REST API HTTP request that conducts an XXE attack, because only general external entities (not parameter external entities) are properly considered. This is related to XmlRepresentation, DOMRepresentation, SaxRepresentation, and JacksonRepresentation.

How to fix CVE-2017-14949

To remediate CVE-2017-14949, upgrade the affected package to a fixed version below.

—upgrade to 2.3.12 or later

Is CVE-2017-14949 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.3.12

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (6)

ADVISORYgithub.com/advisories/GHSA-cvj4-g3gx-8vqq
ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-14949
PATCHgithub.com/restlet/restlet-framework-java
WEBgithub.com/restlet/restlet-framework-java/commit/fe75aff3af23b879b984db7a2b6824cee0ef0fc5