CVE-2017-14868: Improper Restriction of XML External Entity Reference

October 17, 2018 (updated September 26, 2023)

Restlet Framework before 2.3.11, when using SimpleXMLProvider, allows remote attackers to access arbitrary files via an XXE attack in a REST API HTTP request. This affects use of the Jax-rs extension.

References

github.com/advisories/GHSA-2mp8-qvqm-3xwq
github.com/restlet/restlet-framework-java/issues/1286
github.com/restlet/restlet-framework-java/wiki/XEE-security-enhancements
lgtm.com/blog/restlet_CVE-2017-14868
nvd.nist.gov/vuln/detail/CVE-2017-14868

Detect and mitigate CVE-2017-14868 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →