Vulnerability Details : CVE-2014-3682
XML external entity (XXE) vulnerability in the JBPMBpmn2ResourceImpl function in designer/bpmn2/resource/JBPMBpmn2ResourceImpl.java in jbpm-designer 6.0.x and 6.2.x allows remote attackers to read arbitrary files and possibly have other unspecified impact by importing a crafted BPMN2 file.
Vulnerability category: XML external entity (XXE) injection
Products affected by CVE-2014-3682
- cpe:2.3:a:redhat:jbpm-designer:6.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jbpm-designer:6.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jbpm-designer:6.0.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-3682
2.21%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 90 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-3682
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
References for CVE-2014-3682
-
https://github.com/droolsjbpm/jbpm-designer/commit/5641588c730cc75dc3b76c34b76271fbd407fb84
BZ1158017: fix XXE vulnerability when importing a BP from a bpmn2 (XM… · kiegroup/jbpm-designer@5641588 · GitHub
-
https://github.com/droolsjbpm/jbpm-designer/commit/be3968d51299f6de0011324be60223ede49ecb1c
BZ1150634: switch off external-parameter-entity processing in XML parser · kiegroup/jbpm-designer@be3968d · GitHub
-
https://github.com/droolsjbpm/jbpm-designer/commit/e4691214a100718c3b1c9b93d4db466672ba0be3
BZ1158017 - prevent processing of external entities · kiegroup/jbpm-designer@e469121 · GitHub
-
https://github.com/droolsjbpm/jbpm-designer/commit/69d8f6b7a099594bd0536f88d528753875857088
BZ1150634: switch off external-parameter-entity processing in XML parser · kiegroup/jbpm-designer@69d8f6b · GitHub
-
http://rhn.redhat.com/errata/RHSA-2015-0234.html
RHSA-2015:0234 - Security Advisory - Red Hat Customer PortalVendor Advisory
-
http://rhn.redhat.com/errata/RHSA-2015-0235.html
RHSA-2015:0235 - Security Advisory - Red Hat Customer PortalVendor Advisory
Jump to