Bug 1520471 (CVE-2017-14949)

Summary: CVE-2017-14949 restlet: XXE vulnerability in XML extension allows remote attackers to access arbitrary files via a crafted REST API HTTP request
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, chazlett, gvarsami, java-sig-commits, jcoleman, ldimaggi, nwallace, puntogil, rwagner, tcunning, tkirby
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: restlet 2.3.12 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-21 11:57:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1520472    
Bug Blocks: 1520474    

Description Adam Mariš 2017-12-04 14:34:41 UTC 
Restlet Framework before 2.3.12 allows remote attackers to access arbitrary files via a crafted REST API HTTP request that conducts an XXE attack, because only general external entities (not parameter external entities) are properly considered. This is related to XmlRepresentation, DOMRepresentation, SaxRepresentation, and JacksonRepresentation.

External References:

https://github.com/restlet/restlet-framework-java/wiki/XEE-security-enhancements#vulnerability-cve-2017-14949
Comment 1 Adam Mariš 2017-12-04 14:35:05 UTC 
Created restlet-jse tracking bugs for this issue:

Affects: fedora-all [bug 1520472]