Description
An administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not limited to file read, file write, and code execution.
Remediation
References
https://syncope.apache.org/security#CVE-2018-17186:_XXE_on_BPMN_definitions
Related Vulnerabilities
CVE-2019-0231 Vulnerability in maven package org.apache.mina:mina-core
CVE-2020-13949 Vulnerability in maven package org.apache.thrift:libthrift
CVE-2020-10714 Vulnerability in maven package org.wildfly.security:wildfly-elytron
CVE-2023-29211 Vulnerability in maven package org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki
CVE-2022-33682 Vulnerability in maven package org.apache.pulsar:pulsar-broker