GitHub Advisory DatabaseGHSA-VC3X-72Q4-G3P5XML External Entity Reference in jbpmmigration
4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
43.5%
It was discovered that the XmlUtils class in jbpmmigration performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML eXternal Entity (XXE) attacks.
The related jbpm-designer project removed use of jbpmmigration completely as a result.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| org.jbpm.jbpm5:jbpmmigration | le | 0.15 |
References
access.redhat.com/errata/RHSA-2017:3354
access.redhat.com/errata/RHSA-2017:3355
bugzilla.redhat.com/show_bug.cgi?id=1474822
bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7545
github.com/advisories/GHSA-vc3x-72q4-g3p5
github.com/kiegroup/jbpm-designer/commit/a143f3b92a6a5a527d929d68c02a0c5d914ab81d
nvd.nist.gov/vuln/detail/CVE-2017-7545
Related
4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
43.5%