CVE-2017-14949

Name of the Vulnerable Software and Affected Versions Restlet Framework versions prior to 2.3.12

Description The issue allows remote attackers to access arbitrary files via a crafted REST API HTTP request that conducts an XXE (XML External Entity) attack. This is related to XmlRepresentation, DOMRepresentation, SaxRepresentation, and JacksonRepresentation. The problem arises because only general external entities, not parameter external entities, are properly considered.

Recommendations For versions prior to 2.3.12, update to version 2.3.12 or later to resolve the issue. As a temporary workaround, consider restricting access to the REST API or disabling the use of XmlRepresentation, DOMRepresentation, SaxRepresentation, and JacksonRepresentation until the update can be applied.