XML Entity Expansion Vulnerability in Apache CXF JAX-RS Module

XML Entity Expansion Vulnerability in Apache CXF JAX-RS Module

CVE-2016-8739 · HIGH Severity

AV:N/AC:L/AU:N/C:C/I:N/A:N

The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk.

Learn more about our Cis Benchmark Audit For Apache Http Server.