The readFrom function in providers.jaxb.JAXBXmlTypeProvider in RESTEasy before 2.3.2 allows remote attackers to read arbitrary files via an external entity reference in a Java Architecture for XML Binding (JAXB) input, aka an XML external entity (XXE) injection attack, a similar vulnerability to CVE-2012-0818.

References

• https://nvd.nist.gov/vuln/detail/CVE-2011-5245
• https://bugzilla.redhat.com/show_bug.cgi?id=785631
• https://exchange.xforce.ibmcloud.com/vulnerabilities/72808
• https://issues.jboss.org/browse/RESTEASY-647
• https://issues.jboss.org/browse/RESTEASY/fixforversion/12318708
• http://rhn.redhat.com/errata/RHSA-2012-1056.html
• http://rhn.redhat.com/errata/RHSA-2012-1058.html
• http://rhn.redhat.com/errata/RHSA-2012-1059.html
• http://rhn.redhat.com/errata/RHSA-2014-0371.html
• http://rhn.redhat.com/errata/RHSA-2014-0372.html
• http://www.osvdb.org/78680
• resteasy/resteasy#34