Skip to content

XML External Entity Reference in org.picketlink:picketlink-common

High severity GitHub Reviewed Published May 14, 2022 to the GitHub Advisory Database • Updated Jan 30, 2023

Package

maven org.picketlink:picketlink-common (Maven)

Affected versions

< 2.7.0.Final

Patched versions

2.7.0.Final

Description

The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 5.2.0 and 6.2.4, expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue.

References

Published by the National Vulnerability Database Jul 22, 2014
Published to the GitHub Advisory Database May 14, 2022
Reviewed Nov 1, 2022
Last updated Jan 30, 2023

Severity

High

EPSS score

0.849%
(82nd percentile)

Weaknesses

CVE ID

CVE-2014-3530

GHSA ID

GHSA-2c9q-qwrc-f486

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.