RESTEasy SourceProvider unmarshals some content without XML External Entity protection. An attacker can use this flaw to launch an XXE attack on a RESTEasy endpoint which uses a wildcard mime-type of mulitpart mime-type. Its only possible to launch an attack if a mime-type of 'application/*+xml' is used specifically.
Acknowledgments: Name: Katerina Novotna (Red Hat)
Created resteasy tracking bugs for this issue: Affects: fedora-all [bug 1448754]
Statement: After further analysis of this issue, it was determined that the flaw was in the XML Frameworks implementation on EAP 7, not in RESTEasy. If you use a javax.xml.transform.TransformerFactory to process a javax.xml.transform.Source instance please be aware of this outstanding issue with that functionality on EAP 7.0.x: https://bugzilla.redhat.com/show_bug.cgi?id=1451960