CVE-2020-36640
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2020-36640
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-36640.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2020-36640
- Aliases
- Published
- 2023-01-05T10:15:09Z
- Modified
- 2025-09-19T12:18:45.928963Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
A vulnerability, which was classified as problematic, was found in bonitasoft bonita-connector-webservice up to 1.3.0. This affects the function TransformerConfigurationException of the file src/main/java/org/bonitasoft/connectors/ws/SecureWSConnector.java. The manipulation leads to xml external entity reference. Upgrading to version 1.3.1 is able to address this issue. The patch is named a12ad691c05af19e9061d7949b6b828ce48815d5. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217443.
- References
-
- https://github.com/bonitasoft/bonita-connector-webservice/releases/tag/1.3.1
- https://vuldb.com/?ctiid.217443
- https://vuldb.com/?id.217443
- https://github.com/bonitasoft/bonita-connector-webservice/commit/a12ad691c05af19e9061d7949b6b828ce48815d5
- https://github.com/bonitasoft/bonita-connector-webservice/pull/17
Affected packages
Git / github.com/bonitasoft/bonita-connector-webservice
Affected ranges
- Type
- GIT
- Repo
- https://github.com/bonitasoft/bonita-connector-webservice
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixed
Affected versions
1.*
1.0.12
1.0.13
1.1.0
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.3.0
bonita-connector-webservice-1.*
bonita-connector-webservice-1.0.0
bonita-connector-webservice-6.*
bonita-connector-webservice-6.1.0
bonita-connector-webservice-6.1.0-rc-02
bonita-connector-webservice-6.1.0-rc-03
bonita-connector-webservice-6.1.0-rc-04
bonita-connector-webservice-6.1.0-rc-05
bonita-connector-webservice-6.1.0-rc-06
bonita-connector-webservice-6.1.0-rc-07
bonita-connector-webservice-6.1.0-rc-08
bonita-connector-webservice-6.1.0-rc-09
Database specific
{
"vanir_signatures": [
{
"source": "https://github.com/bonitasoft/bonita-connector-webservice/commit/a12ad691c05af19e9061d7949b6b828ce48815d5",
"target": {
"file": "src/main/java/org/bonitasoft/connectors/ws/SecureWSConnector.java",
"function": "getTransformer"
},
"deprecated": false,
"signature_version": "v1",
"digest": {
"length": 316.0,
"function_hash": "126584707425794684538061775401875770174"
},
"signature_type": "Function",
"id": "CVE-2020-36640-19718d25"
},
{
"source": "https://github.com/bonitasoft/bonita-connector-webservice/commit/a12ad691c05af19e9061d7949b6b828ce48815d5",
"target": {
"file": "src/main/java/org/bonitasoft/connectors/ws/SecureWSConnector.java",
"function": "printRequestAndResponse"
},
"deprecated": false,
"signature_version": "v1",
"digest": {
"length": 522.0,
"function_hash": "313552796009566066289302339322874785076"
},
"signature_type": "Function",
"id": "CVE-2020-36640-1fc72dea"
},
{
"source": "https://github.com/bonitasoft/bonita-connector-webservice/commit/a12ad691c05af19e9061d7949b6b828ce48815d5",
"target": {
"file": "src/main/java/org/bonitasoft/connectors/ws/SecureWSConnector.java",
"function": "buildResponseDocumentBody"
},
"deprecated": false,
"signature_version": "v1",
"digest": {
"length": 438.0,
"function_hash": "267458609695961726349736944268426503076"
},
"signature_type": "Function",
"id": "CVE-2020-36640-c9773df6"
},
{
"source": "https://github.com/bonitasoft/bonita-connector-webservice/commit/a12ad691c05af19e9061d7949b6b828ce48815d5",
"target": {
"file": "src/main/java/org/bonitasoft/connectors/ws/SecureWSConnector.java"
},
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"163697624163611354718520866918279155877",
"211521450840835562923687159630507822365",
"169101337966354907301146599261922695411",
"44942050844779701367571242332558126035",
"209893996525595167237500634111562052082",
"122525658299918865225096535203428929939",
"142424452069575045046745149400938347311",
"215581661556365738805674873643018491720",
"68906309157889530035351021429690878571",
"187780757414585957911861364175510583731",
"339696173983664439629902209949892589709",
"173237048629573771947489141065826960012",
"286403414175256202802402723354363626046",
"140881105738884322814867101718345586657",
"315894018377179509124053349960177182355",
"226971092306514866556968356406068046949",
"251775474226341365665538375484338068709",
"12357212343353571330490520347215318233",
"264268226389636019862151607078329918313",
"210511424120078035997017164574994456516",
"139012107343402325740411980430855447594",
"41086633106929466553087059822029024384",
"232075133933740547040954839662695645473",
"91262140085448256285351375414231877358",
"59332222045675953412878431681057536460",
"94578688514585219573416504258776039529",
"334916278931244313445997366707587877099",
"263765754215127007100800665487922423470",
"294187140196393447486406835504974834879",
"28372213355564888313174652912343672593",
"287884008941311912295374650123558481147",
"119882782263257294084417823331267298397",
"322976208295205734635971448346403195540",
"144372527450595859597626570628361150761",
"53008190142656476483194543972819980321",
"316003212762725875156716336743874558240",
"63569033682393650314156361380258146692",
"91709779764914650137202645312950658942",
"269081092529661841185995978892954550433",
"292867114935044710344321495889600319215",
"123959190501316608232956184779543157349",
"75445647517720497550802429978883108346",
"199841776914861916796765804451070683216",
"266231913211885275687598251882020133929",
"304942920979019757222155708242962146081",
"113959828481128084725807826139506543367",
"139291893707643487277808350591621535931",
"325013783717915773217790318089547691113",
"210538652554505329096912874492135581385",
"310548219515208019640203931497921390585",
"138782641749501670144113667065214892603",
"43129060894565993966300101663381836361",
"270834071272493720250018860414436717035",
"270354862287946814132370318388193513093",
"118438122331077885663898506426402316672",
"5127614259153638929036679225053788727",
"34271878110485365176463435208071026025",
"161368792588288194834596510202392703228",
"186539996055737012136909619129376599966",
"332339409010896585199646684788791740519",
"284902551282463839030654111621399393263",
"283566498192868948218909489449363778932",
"247161449539465156015507559100473470399",
"73724559684002499853486264791172852466",
"148666462390472161317538960039083513058",
"297491065552851354499540085754691228743",
"112935841183066223267070594346455485931",
"251554056188505016480620882779995476630",
"132819286736208539849460574339368553947",
"264143160445265478646948838720728920892",
"190702943556869694637179757000382759836",
"241379665846879291921482386910597655231",
"318375960140902274868445689180791668561",
"11711158611380022906832112880074623419",
"19504217641701881867800316730937629424",
"325899539232439682492369078959088125404",
"220458761034406808752272376599030269188",
"260457579544105683613798585172483131840",
"85604165189297324872141894585063421020",
"275856538651401779136640390608049815310",
"223263335314621133819089331755795810221",
"65117931806674119864479608977676646950",
"228246680312087978428367061380524784751",
"54293456459335644256328245205953103243",
"23666570282155498347983460341648148754",
"41153733291953673054061188991697180327",
"113186933855904969060800028989637809943",
"175660888064531740640649603823529880994"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "CVE-2020-36640-f54ecdf8"
}
]
}