Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12YzN4LTcycTQtZzNwNc4AARYw
XML External Entity Reference in jbpmmigration
It was discovered that the XmlUtils class in jbpmmigration performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML eXternal Entity (XXE) attacks.
The related jbpm-designer project removed use of jbpmmigration completely as a result.
Permalink: https://github.com/advisories/GHSA-vc3x-72q4-g3p5JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12YzN4LTcycTQtZzNwNc4AARYw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: over 1 year ago
CVSS Score: 6.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-vc3x-72q4-g3p5, CVE-2017-7545
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-7545
- https://github.com/kiegroup/jbpm-designer/commit/a143f3b92a6a5a527d929d68c02a0c5d914ab81d
- https://access.redhat.com/errata/RHSA-2017:3354
- https://access.redhat.com/errata/RHSA-2017:3355
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7545
- https://bugzilla.redhat.com/show_bug.cgi?id=1474822
- https://github.com/advisories/GHSA-vc3x-72q4-g3p5
Blast Radius: 7.6
Affected Packages
maven:org.jbpm.jbpm5:jbpmmigration
Dependent packages: 7Dependent repositories: 15
Downloads:
Affected Version Ranges: <= 0.15
No known fixed version
All affected versions: