{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "last_affected": "3.0.11" }, { "introduced": "0" }, { "last_affected": "3.1.0" }, { "introduced": "0" }, { "last_affected": "3.1.1" }, { "introduced": "0" }, { "last_affected": "3.1.2" }, { "introduced": "0" }, { "last_affected": "3.1.3" }, { "introduced": "0" }, { "last_affected": "3.1.4" }, { "introduced": "0" }, { "last_affected": "3.1.5" }, { "introduced": "0" }, { "last_affected": "3.1.6" }, { "introduced": "0" }, { "last_affected": "3.1.7" }, { "introduced": "0" }, { "last_affected": "3.1.8" } ] }, "events": [ { "introduced": "0" }, { "last_affected": "6c7df35913ce3fc6ec8f5dc6c6074b187f751aa6" }, { "introduced": "0" }, { "last_affected": "a04a1e06f7fffc5f145e33c6832f31b04782516b" }, { "introduced": "0" }, { "last_affected": "cdafd372c60b7e19229d7e6a91fc69b9c5dbc69c" }, { "introduced": "0" }, { "last_affected": "bc9e3714adc8848f37694eea62d33748b01fbb91" }, { "introduced": "0" }, { "last_affected": "f3185100ec7caea0ac4b52108210ed7e68e85271" }, { "introduced": "0" }, { "last_affected": "16d789c4a913e0cac51bcf929331abe84010ce1e" }, { "introduced": "0" }, { "last_affected": "f772a196f03f696d9410e2bfcda8edc75c5a5ce4" }, { "introduced": "0" }, { "last_affected": "8632867df4b542aeb158aa8d13d08ff6e31c4b4f" }, { "introduced": "0" }, { "last_affected": "bf2f1008a84e03aded4dc2f6b0e1b7560d6a666a" }, { "introduced": "0" }, { "last_affected": "32a346e82042e99336732056e2ec81ebc27f075e" } ], "repo": "https://github.com/apache/cxf", "type": "GIT" } ] } ], "details": "The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk.", "id": "CVE-2016-8739", "modified": "2026-04-01T23:09:52.470342330Z", "published": "2017-08-10T18:29:00.190Z", "references": [ { "type": "WEB", "url": "https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E" }, { "type": "ADVISORY", "url": "http://www.securityfocus.com/bid/97579" }, { "type": "ADVISORY", "url": "http://www.securitytracker.com/id/1037544" }, { "type": "ADVISORY", "url": "https://access.redhat.com/errata/RHSA-2017:0868" }, { "type": "FIX", "url": "http://cxf.apache.org/security-advisories.data/CVE-2016-8739.txt.asc" } ], "severity": [ { "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "type": "CVSS_V3" } ] }