Vulnerabilities > CVE-2017-7545 - XXE vulnerability in Redhat Decision Manager, Jboss BPM Suite and Jbpm

CVSS 4.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

PARTIAL

Integrity impact

NONE

Availability impact

NONE

network

low complexity

redhat

CWE-611

NVD

Published: 2018-07-26

Updated: 2019-10-09

Summary

It was discovered that the XmlUtils class in jbpmmigration 6.5 performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML eXternal Entity (XXE) attacks.

Vulnerable Configurations

Part	Description	Count
Application	Redhat Redhat Decision Manager 7.0 Redhat Jboss BPM Suite 6.4 Redhat Jbpm 6.5	3

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

Redhat

advisories

rhsa
id RHSA-2017:3354
rhsa
id RHSA-2017:3355

References

http://www.securityfocus.com/bid/102179
https://access.redhat.com/errata/RHSA-2017:3354
https://access.redhat.com/errata/RHSA-2017:3355
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7545
https://github.com/kiegroup/jbpm-designer/commit/a143f3b92a6a5a527d929d68c02a0c5d914ab81d