GHSA-vc3x-72q4-g3p5

Suggest an improvement
Source
https://github.com/advisories/GHSA-vc3x-72q4-g3p5
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-vc3x-72q4-g3p5/GHSA-vc3x-72q4-g3p5.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-vc3x-72q4-g3p5
Aliases
Published
2022-05-13T01:36:17Z
Modified
2023-11-01T04:48:19.013902Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
XML External Entity Reference in jbpmmigration
Details

It was discovered that the XmlUtils class in jbpmmigration performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML eXternal Entity (XXE) attacks.

The related jbpm-designer project removed use of jbpmmigration completely as a result.

Database specific
{
    "nvd_published_at": "2018-07-26T15:29:00Z",
    "github_reviewed_at": "2022-11-04T18:42:12Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-611"
    ]
}
References

Affected packages

Maven / org.jbpm.jbpm5:jbpmmigration

Package

Name
org.jbpm.jbpm5:jbpmmigration
View open source insights on deps.dev
Purl
pkg:maven/org.jbpm.jbpm5/jbpmmigration

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.15

Affected versions

0.*

0.11
0.12
0.13
0.14
0.15