The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk.
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Cxf | Apache | * | 3.0.11 (including) |
| Cxf | Apache | 3.1.0 (including) | 3.1.0 (including) |
| Cxf | Apache | 3.1.1 (including) | 3.1.1 (including) |
| Cxf | Apache | 3.1.2 (including) | 3.1.2 (including) |
| Cxf | Apache | 3.1.3 (including) | 3.1.3 (including) |
| Cxf | Apache | 3.1.4 (including) | 3.1.4 (including) |
| Cxf | Apache | 3.1.5 (including) | 3.1.5 (including) |
| Cxf | Apache | 3.1.6 (including) | 3.1.6 (including) |
| Cxf | Apache | 3.1.7 (including) | 3.1.7 (including) |
| Cxf | Apache | 3.1.8 (including) | 3.1.8 (including) |
| Red Hat JBoss A-MQ 6.3 | RedHat | * | |
| Red Hat JBoss Fuse 6.3 | RedHat | * |