CVE-2017-7545

Summary

CVE	CVE-2017-7545
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2018-07-26 15:29:00 UTC
Updated	2019-10-09 23:29:00 UTC
Description	It was discovered that the XmlUtils class in jbpmmigration 6.5 performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML eXternal Entity (XXE) attacks.

Risk And Classification

Problem Types: CWE-611

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Redhat	Decision Manager	7.0	All	All	All
Application	Redhat	Decision Manager	7.0	All	All	All
Application	Redhat	Jboss Bpm Suite	6.4	All	All	All
Application	Redhat	Jboss Bpm Suite	6.4	All	All	All
Application	Redhat	Jbpm	6.5	All	All	All
Application	Redhat	Jbpm	6.5	All	All	All

References

Reference	Source	Link	Tags
JBPM-6415 - Remove jPDL migration plugin and its use from jbpm-design… · kiegroup/jbpm-designer@a143f3b · GitHub	CONFIRM	github.com	Patch, Third Party Advisory
Red Hat Customer Portal	REDHAT	access.redhat.com	Vendor Advisory
jBPM Migration CVE-2017-7545 XML External Entity Injection Vulnerability	BID	www.securityfocus.com	Third Party Advisory, VDB Entry
1474822 – (CVE-2017-7545) CVE-2017-7545 jbpmmigration: XXE vulnerability in XmlUtils	CONFIRM	bugzilla.redhat.com	Issue Tracking, Patch, Vendor Advisory
Red Hat Customer Portal	REDHAT	access.redhat.com	Vendor Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.