CVE-2014-3530 Vulnerability in maven package org.picketlink:picketlink-common

Description

The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 5.2.0 and 6.2.4, expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue.

Remediation

References

http://rhn.redhat.com/errata/RHSA-2014-0883.html

http://rhn.redhat.com/errata/RHSA-2014-0884.html

http://rhn.redhat.com/errata/RHSA-2014-0885.html

http://rhn.redhat.com/errata/RHSA-2014-0886.html

http://rhn.redhat.com/errata/RHSA-2015-0091.html

http://rhn.redhat.com/errata/RHSA-2015-0675.html

http://rhn.redhat.com/errata/RHSA-2015-0720.html

http://rhn.redhat.com/errata/RHSA-2015-0765.html

http://rhn.redhat.com/errata/RHSA-2015-1888.html

http://secunia.com/advisories/60047

http://secunia.com/advisories/60124

http://www.securitytracker.com/id/1030607

https://exchange.xforce.ibmcloud.com/vulnerabilities/94700

Related Vulnerabilities

CVE-2018-17195 Vulnerability in maven package org.apache.nifi:nifi-web-api

CVE-2019-10246 Vulnerability in maven package org.eclipse.jetty:jetty-util

CVE-2023-20873 Vulnerability in maven package org.springframework.boot:spring-boot-actuator-autoconfigure

CVE-2022-25204 Vulnerability in maven package by.dev.madhead.doktor:doktor

CVE-2018-1000401 Vulnerability in maven package org.jenkins-ci.plugins:aws-codepipeline

Severity

Critical

Classification

CWE-200