MidnightBSD

Advisories for restlet

CVE-2013-4221 HIGH

The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources using the Java XMLDecoder, which allows remote attackers to execute arbitrary Java code via crafted XML.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-16,CWE-91,

Products Affected

Vendor Product Version
restlet restlet 2.1.1
restlet restlet 2.1.2
restlet restlet 2.1.0
restlet restlet 2.1
restlet restlet *
CVE-2013-4271 HIGH

The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources, which allows remote attackers to execute arbitrary Java code via a serialized object, a different vulnerability than CVE-2013-4221.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,

Products Affected

Vendor Product Version
restlet restlet 2.1.1
restlet restlet 2.1.2
restlet restlet 2.1.0
restlet restlet 2.1
restlet restlet *
CVE-2014-1868 MEDIUM

Restlet Framework 2.1.x before 2.1.7 and 2.x.x before 2.2 RC1, when using XMLRepresentation or XML serializers, allows attackers to cause a denial of service via an XML Entity Expansion (XEE) attack.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
restlet restlet_framework 2.1.1
restlet restlet_framework 2.1.5
restlet restlet_framework 2.2
restlet restlet_framework 2.1.2
restlet restlet_framework 2.1.3
restlet restlet_framework 2.1.0
restlet restlet_framework 2.1.4
restlet restlet_framework 2.1.6
restlet restlet_framework *
CVE-2017-14868 MEDIUM

Restlet Framework before 2.3.11, when using SimpleXMLProvider, allows remote attackers to access arbitrary files via an XXE attack in a REST API HTTP request. This affects use of the Jax-rs extension.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-611,

Products Affected

Vendor Product Version
restlet restlet *
CVE-2017-14949 MEDIUM

Restlet Framework before 2.3.12 allows remote attackers to access arbitrary files via a crafted REST API HTTP request that conducts an XXE attack, because only general external entities (not parameter external entities) are properly considered. This is related to XmlRepresentation, DOMRepresentation, SaxRepresentation, and JacksonRepresentation.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-611,

Products Affected

Vendor Product Version
restlet restlet *