CVE-2016-8739

Summary

The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache CXFprior to 3.0.12affected
Apache Software FoundationApache CXF3.1.x prior to 3.1.9affected

Weaknesses

  • XXE risk

ADP Enrichment

CVE Program Container

Additional References

References