Information disclosure in JBoss Enterprise Application Platform - CVE-2014-3530
Published: July 22, 2014 / Updated: August 10, 2020
Vulnerability identifier: #VU41462
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2014-3530
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Red Hat Inc.
Affected software:
JBoss Enterprise Application Platform
JBoss Enterprise Application Platform
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 5.2.0 and 6.2.4, expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue.
How to mitigate CVE-2014-3530
Install update from vendor's website.
Sources
- http://rhn.redhat.com/errata/RHSA-2014-0883.html
- http://rhn.redhat.com/errata/RHSA-2014-0884.html
- http://rhn.redhat.com/errata/RHSA-2014-0885.html
- http://rhn.redhat.com/errata/RHSA-2014-0886.html
- http://rhn.redhat.com/errata/RHSA-2015-0091.html
- http://rhn.redhat.com/errata/RHSA-2015-0675.html
- http://rhn.redhat.com/errata/RHSA-2015-0720.html
- http://rhn.redhat.com/errata/RHSA-2015-0765.html
- http://rhn.redhat.com/errata/RHSA-2015-1888.html
- http://secunia.com/advisories/60047
- http://secunia.com/advisories/60124
- http://www.securitytracker.com/id/1030607
- https://exchange.xforce.ibmcloud.com/vulnerabilities/94700