Miggo Logo
Miggo Vulnerability Database
CVE-2017-14868

CVE-2017-14868: Restlet Framework Ja-rs extension is vulnerable to XXE when using SimpleXMLProvider

7.5

CVSS Score
3.0

Basic Information

CVE ID
CVE-2017-14868
GHSA ID
GHSA-2mp8-qvqm-3xwq
EPSS Score
0.58718%
CWE
CWE-611
Published
10/17/2018
Updated
9/26/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.restlet.jse:org.restlet.ext.jaxrsmaven< 2.3.112.3.11

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper XML parsing configuration in the Jax-rs extension's SimpleXMLProvider. The advisory explicitly states the issue occurs when using SimpleXMLProvider, and the CWE-611 confirms it's an XXE flaw. The Restlet team's own security documentation mentions they forked the simple-xml library to address unsafe parsing. The readFrom method is the entry point for XML deserialization in JAX-RS providers, making it the logical location where external entity expansion would occur if not properly restricted.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

R*stl*t *r*m*work ***or* *.*.**, w**n usin* Simpl*XMLProvi**r, *llows r*mot* *tt**k*rs to ****ss *r*itr*ry *il*s vi* *n XX* *tt**k in * R*ST *PI *TTP r*qu*st. T*is *****ts us* o* t** J*x-rs *xt*nsion.

Reasoning

T** vuln*r**ility st*ms *rom improp*r XML p*rsin* *on*i*ur*tion in t** J*x-rs *xt*nsion's Simpl*XMLProvi**r. T** **visory *xpli*itly st*t*s t** issu* o**urs w**n usin* Simpl*XMLProvi**r, *n* t** *W*-*** *on*irms it's *n XX* *l*w. T** R*stl*t t**m's o