Miggo Logo
Miggo Vulnerability Database
CVE-2017-7545

CVE-2017-7545:
XML External Entity Reference in jbpmmigration

6.5

CVSS Score
3.0

Basic Information

CVE ID
CVE-2017-7545
GHSA ID
GHSA-vc3x-72q4-g3p5
EPSS Score
0.75807%
CWE
CWE-611
Published
5/13/2022
Updated
2/2/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jbpm.jbpm5:jbpmmigrationmaven<= 0.15

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insecure XML parsing in jbpmmigration's XmlUtils class, as explicitly stated in the advisory. The removal of JbpmMigration usage in jbpm-designer's commit (including the deletion of JbpmMigration.transform() calls in TransformerServlet.java) confirms these functions were the attack surface. The XXE occurs when parsing XML without disabling external entities, a hallmark of CWE-611. The high confidence derives from the explicit linkage between the advisory's description, the CWE, and the code changes in the referenced commit.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

It w*s *is*ov*r** t**t t** XmlUtils *l*ss in j*pmmi*r*tion p*r*orm** *xp*nsion o* *xt*rn*l p*r*m*t*r *ntiti*s w*il* p*rsin* XML *il*s. * r*mot* *tt**k*r *oul* us* t*is *l*w to r*** *il*s ****ssi*l* to t** us*r runnin* t** *ppli**tion s*rv*r *n*, pot*

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* XML p*rsin* in `j*pmmi*r*tion`'s `XmlUtils` *l*ss, *s *xpli*itly st*t** in t** **visory. T** r*mov*l o* `J*pmMi*r*tion` us*** in `j*pm-**si*n*r`'s *ommit (in*lu*in* t** **l*tion o* `J*pmMi*r*tion.tr*ns*orm()` **l