It was found that Odata4j permitted XML eXternal Entity (XXE) attacks. If a REST endpoint was deployed, a remote attacker could submit a request containing an external XML entity that, when resolved, allowed that attacker to read files on the application server in the context of the user running that server.
This issue was discovered by David Jorm of Red Hat Product Security.
or a later attachment in
This issue has been addressed in the following products:
JBoss Data Virtualization 6.0.0
Via RHSA-2015:0034 https://rhn.redhat.com/errata/RHSA-2015-0034.html