Vulnerability Name: | CVE-2017-7545 (CCN-148146) | ||||||||||||
Assigned: | 2017-04-05 | ||||||||||||
Published: | 2018-02-12 | ||||||||||||
Updated: | 2019-10-09 | ||||||||||||
Summary: | It was discovered that the XmlUtils class in jbpmmigration 6.5 performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML eXternal Entity (XXE) attacks. | ||||||||||||
CVSS v3 Severity: | 6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) 5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
| ||||||||||||
CVSS v2 Severity: | 4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N)
| ||||||||||||
Vulnerability Type: | CWE-611 | ||||||||||||
Vulnerability Consequences: | Obtain Information | ||||||||||||
References: | Source: MITRE Type: CNA CVE-2017-7545 Source: BID Type: Third Party Advisory, VDB Entry 102179 Source: CCN Type: BID-102179 jBPM Migration CVE-2017-7545 XML External Entity Injection Vulnerability Source: REDHAT Type: Vendor Advisory RHSA-2017:3354 Source: REDHAT Type: Vendor Advisory RHSA-2017:3355 Source: CCN Type: Red Hat Bugzilla Bug 1474822 (CVE-2017-7545) CVE-2017-7545 jbpmmigration: XXE vulnerability in XmlUtils Source: CONFIRM Type: Issue Tracking, Patch, Vendor Advisory https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7545 Source: XF Type: UNKNOWN jbpmmigration-cve20177545-info-disc(148146) Source: CCN Type: jbpm-designer GIT Repository JBPM-6415 - Remove jPDL migration plugin and its use from jbpm-design Source: CONFIRM Type: Patch, Third Party Advisory https://github.com/kiegroup/jbpm-designer/commit/a143f3b92a6a5a527d929d68c02a0c5d914ab81d Source: CCN Type: WhiteSource Vulnerability Database CVE-2017-7545 | ||||||||||||
Vulnerable Configuration: | Configuration 1: Denotes that component is vulnerable | ||||||||||||
BACK |