Description

The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 5.2.0 and 6.2.4, expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue.

Remediation

References

CVE-2014-3530

Related Vulnerabilities

Python Integer Overflow or Wraparound Vulnerability (CVE-2016-5636)

MongoDb Insufficient Session Expiration Vulnerability (CVE-2019-2386)

WordPress Plugin post highlights Cross-Site Scripting (2.6)

Apache Tomcat Other Vulnerability (CVE-2002-0936)

WordPress Plugin WP-Lister Lite for Amazon Cross-Site Scripting (2.4.3)

Severity

High

Classification

CVE-2014-3530 CWE-200

Tags

Missing Update Known Vulnerabilities