{"id":"CVE-2017-14868","details":"Restlet Framework before 2.3.11, when using SimpleXMLProvider, allows remote attackers to access arbitrary files via an XXE attack in a REST API HTTP request. This affects use of the Jax-rs extension.","aliases":["GHSA-2mp8-qvqm-3xwq"],"modified":"2026-04-11T15:43:20.092782Z","published":"2017-11-30T18:29:00.243Z","references":[{"type":"ADVISORY","url":"https://github.com/restlet/restlet-framework-java/issues/1286"},{"type":"ADVISORY","url":"https://github.com/restlet/restlet-framework-java/wiki/XEE-security-enhancements"},{"type":"ADVISORY","url":"https://lgtm.com/blog/restlet_CVE-2017-14868"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/restlet/restlet-framework-java","events":[{"introduced":"0"},{"fixed":"72e6cebd2c81427578e03fca243953926017077f"}],"database_specific":{"source":"CPE_FIELD","cpe":"cpe:2.3:a:restlet:restlet:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"2.3.11"}]}}],"versions":["2.2m1","2.2m2","2.2m3","2.2m4","2.2m5","2.2rc3","2.3.0","2.3.1","2.3.10","2.3.2","2.3.3","2.3.4","2.3.5","2.3.6","2.3.7","2.3.8","2.3.9","2.3m1","2.3m2","2.3m5","2.3rc1","2.3rc2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-14868.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}