WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2017-7545 Vulnerability in maven package org.jbpm:jbpm-designer-backend

Description

It was discovered that the XmlUtils class in jbpmmigration 6.5 performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML eXternal Entity (XXE) attacks.

Remediation

References

https://github.com/kiegroup/jbpm-designer/commit/a143f3b92a6a5a527d929d68c02a0c5d914ab81d

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7545

https://access.redhat.com/errata/RHSA-2017:3355

https://access.redhat.com/errata/RHSA-2017:3354

http://www.securityfocus.com/bid/102179

Related Vulnerabilities

CVE-2019-13990 Vulnerability in maven package org.quartz-scheduler:quartz

CVE-2021-21414 Vulnerability in npm package sdk

CVE-2018-25083 Vulnerability in npm package pullit

CVE-2019-3772 Vulnerability in maven package org.springframework.integration:spring-integration-xml

CVE-2014-2058 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

Severity

High

Classification

CWE-611 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Patch Third Party Advisory Issue Tracking Vendor Advisory VDB Entry