CVE-2017-7545 — XML External Entity Reference in jbpmmigration

Description

It was discovered that the XmlUtils class in jbpmmigration performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML eXternal Entity (XXE) attacks. The related jbpm-designer project removed use of jbpmmigration completely as a result.

How to fix CVE-2017-7545

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2017-7545 being exploited?

Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 0.15

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-7545
PATCHgithub.com/kiegroup/jbpmmigration
WEBaccess.redhat.com/errata/RHSA-2017:3354
WEBaccess.redhat.com/errata/RHSA-2017:3355
WEBbugzilla.redhat.com