It was discovered that the XmlUtils class in jbpmmigration 6.5 performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML eXternal Entity (XXE) attacks.
CPE | Name | Operator | Version |
---|---|---|---|
decision_manager | eq | 7.0 | |
jboss_bpm_suite | eq | 6.4 | |
jbpm | eq | 6.5 |