It was discovered that the XmlUtils class in jbpmmigration 6.5 performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML eXternal Entity (XXE) attacks.
CPE | Name | Operator | Version |
---|---|---|---|
jbpm | eq | 2.0 | |
jbpm | eq | 6.0.0.Alpha1 | |
jbpm | eq | 2.2.Final | |
jbpm | eq | 6.0.0.Alpha3 | |
jbpm | eq | 6.0.0.Alpha4 | |
jbpm | eq | 6.0.0.Beta1 | |
jbpm | eq | 6.0.0.Alpha9 | |
jbpm | eq | b4_uf_0.5.x |