CVE-2017-7545
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2017-7545
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-7545.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2017-7545
- Aliases
- Published
- 2018-07-26T15:29:00Z
- Modified
- 2025-10-20T04:00:47.783235Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
It was discovered that the XmlUtils class in jbpmmigration 6.5 performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML eXternal Entity (XXE) attacks.
- References
Affected packages
Git / github.com/droolsjbpm/jbpm
Git / github.com/droolsjbpm/jbpm
Affected ranges
- Type
- GIT
- Repo
- https://github.com/kiegroup/jbpm-designer
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
2.*
2.0
2.2.Final
6.*
6.0.0.Alpha1
6.0.0.Alpha3
6.0.0.Alpha4
6.0.0.Alpha9
6.0.0.Beta1
b4_uf_0.*
b4_uf_0.5.x
Database specific
vanir_signatures
[
{
"source": "https://github.com/kiegroup/jbpm-designer/commit/a143f3b92a6a5a527d929d68c02a0c5d914ab81d",
"target": {
"function": "doPost",
"file": "jbpm-designer-backend/src/main/java/org/jbpm/designer/web/server/TransformerServlet.java"
},
"deprecated": false,
"digest": {
"function_hash": "290415126529844650967159109870274838437",
"length": 9124.0
},
"signature_type": "Function",
"signature_version": "v1",
"id": "CVE-2017-7545-a3d8046d"
},
{
"source": "https://github.com/kiegroup/jbpm-designer/commit/a143f3b92a6a5a527d929d68c02a0c5d914ab81d",
"target": {
"file": "jbpm-designer-backend/src/main/java/org/jbpm/designer/web/server/TransformerServlet.java"
},
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"313908912662565377947016482492340973128",
"238177114996629066745998413455590458406",
"184993690648778548144171192045447151478",
"206545803165142201895570967392747679970",
"151805170412280907921329294775915290843",
"166368132491187728817205036784347196900",
"231574195765996804855473343730778444983",
"335886359667429882813519126636410945603",
"191144672206823313810532022181946254008",
"50747695179770869358061734861018017148",
"68415498508569796640737536823120656357",
"227589192130444549345244108090961646350",
"165995045368834616870516782434514728544",
"249890342067529779248032005809830851477",
"4061003063292498715078110556211937865",
"231318372138117439010104411592896057833",
"75566364732313029072986352578103926788",
"292003254128479633887051353205816440156",
"142394251439117119299253636837841979996",
"4701724789768663996837459152449651750",
"100169347400142851268488828300247468776",
"331315027114816129186771267655558391706",
"257487664633828201620659197876387072790",
"108222126345793817696315225008506845516",
"55239172794580301495974166773925512205",
"167378497913381052295221132345882097761",
"233311042345339767610509337559643323805",
"79290117657365919610570549782992124402",
"145431115155199606467542182718482228232",
"266304669019898170244532526270983073460",
"147468180610788380161023600659453678321",
"68368131401886204089806617014644872705",
"61160605547444192046959987959361847836",
"59466849474015197737273362857230397853",
"77878406434231495540346126503575109071",
"233333312906191488212788680391137848860"
]
},
"signature_type": "Line",
"signature_version": "v1",
"id": "CVE-2017-7545-cce105d7"
}
]