CVE-2017-7492
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2017-7492 from the MITRE CVE dictionary dictionary and NIST NVD.
Statement
After further analysis of this issue, it was determined that the flaw was in the XML Frameworks implementation on EAP 7, not in RESTEasy.
If you use a javax.xml.transform.TransformerFactory to process a javax.xml.transform.Source instance please be aware of this outstanding issue with that functionality on EAP 7.0.x:
CVSS v3 metrics
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
| CVSS3 Base Score | 7.5 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:H |
| Attack Vector | Network |
| Attack Complexity | High |
| Privileges Required | None |
| User Interaction | None |
| Scope | Changed |
| Confidentiality | Low |
| Integrity Impact | None |
| Availability Impact | High |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat JBoss EAP 7 | REST | Will not fix |
| Red Hat JBoss EAP 6 | REST | Not affected |
Acknowledgements
This issue was discovered by Katerina Novotna (Red Hat).CVE description copyright © 2017, The MITRE Corporation
