RESTEasy SourceProvider unmarshals some content without XML External Entity protection. An attacker can use this flaw to launch an XXE attack on a RESTEasy endpoint which uses a wildcard mime-type of mulitpart mime-type. Its only possible to launch an attack if a mime-type of 'application/*+xml' is used specifically.
Name: Katerina Novotna (Red Hat)
Created resteasy tracking bugs for this issue:
Affects: fedora-all [bug 1448754]
After further analysis of this issue, it was determined that the flaw was in the XML Frameworks implementation on EAP 7, not in RESTEasy.
If you use a javax.xml.transform.TransformerFactory to process a javax.xml.transform.Source instance please be aware of this outstanding issue with that functionality on EAP 7.0.x: