CVE-2017-7545: Improper Restriction of XML External Entity Reference

July 26, 2018 (updated October 9, 2019)

It was discovered that the XmlUtils class in jbpmmigration performs expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML eXternal Entity (XXE) attacks.

References

www.securityfocus.com/bid/102179
access.redhat.com/errata/RHSA-2017:3354
access.redhat.com/errata/RHSA-2017:3355
bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7545
nvd.nist.gov/vuln/detail/CVE-2017-7545

Code Behaviors & Features

Detect and mitigate CVE-2017-7545 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →