-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIA Semantic Attack on Google Gemini - Read the Latest Research
A Semantic Attack on Google Gemini - Read the Latest Research
Miggo AI
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.drools:drools-core | maven | <= 6.2.0.CR4 | 6.2.0.Final |
| org.jbpm:jbpm-bpmn2 | maven | <= 6.2.0.CR4 | 6.2.0.Final |
Miggo AIRoot Cause AnalysisThe vulnerability stems from improper XML parser configuration in Drools' BPMN2 processing. The GitHub commit diff shows explicit additions of SAX/DOM parser security features (disabling external entities) in ExtensibleXmlParser.java. The absence of these protections in vulnerable versions indicates the XML parsing functions were the attack surface. The test case added in jBPM's commit demonstrates how external entity injection in BPMN2 files could exploit this, confirming the vulnerable code path involves the XML parsing mechanisms during BPMN2 file processing.