Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13Zzk5LTV2cngtajJnZ84AAwwt
bonita-connector-webservice XML External Entity vulnerability
A vulnerability, which was classified as problematic, was found in bonitasoft bonita-connector-webservice up to 1.3.0. This affects the function TransformerConfigurationException
of the file src/main/java/org/bonitasoft/connectors/ws/SecureWSConnector.java
. The manipulation leads to xml external entity reference. Upgrading to version 1.3.1 can address this issue. The name of the patch is a12ad691c05af19e9061d7949b6b828ce48815d5. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217443.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13Zzk5LTV2cngtajJnZ84AAwwt
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 1 year ago
Updated: 6 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-wg99-5vrx-j2gg, CVE-2020-36640
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-36640
- https://github.com/bonitasoft/bonita-connector-webservice/pull/17
- https://github.com/bonitasoft/bonita-connector-webservice/commit/a12ad691c05af19e9061d7949b6b828ce48815d5
- https://github.com/bonitasoft/bonita-connector-webservice/releases/tag/1.3.1
- https://vuldb.com/?ctiid.217443
- https://vuldb.com/?id.217443
- https://github.com/advisories/GHSA-wg99-5vrx-j2gg
Blast Radius: 0.0
Affected Packages
maven:org.bonitasoft.connectors:bonita-connector-webservice
Dependent packages: 0Dependent repositories: 1
Downloads:
Affected Version Ranges: < 1.3.1
Fixed in: 1.3.1
All affected versions:
All unaffected versions: 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5