CVE-2014-8125

XML external entity (XXE) vulnerability in Drools and jBPM before 6.2.0 allows remote attackers to read arbitrary files or possibly have other unspecified impact via a crafted BPMN2 file.

Published Bysecalert@redhat.com

Published DateApr 21, 2015, 17:59

Affected Versions(2)

org.drools:drools-core(Maven)

Introduced0

Fixed6.2.0.Final

LimitN/A

org.jbpm:jbpm-bpmn2(Maven)

Introduced0

Fixed6.2.0.Final

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.drools:drools-core(Maven)	0	6.2.0.Final	N/A
org.jbpm:jbpm-bpmn2(Maven)	0	6.2.0.Final	N/A

Weakness Type (CWE):NVD-CWE-Other

CVSS Metrics

Base Score

7.5

Vector String

AV:N/AC:L/Au:N/C:P/I:P/A:P

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

PARTIAL

Availability (A)

PARTIAL

References

Weakness Type (CWE):NVD-CWE-Other

CVSS Metrics

Base Score

7.5

Vector String

AV:N/AC:L/Au:N/C:P/I:P/A:P

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

PARTIAL

Availability (A)

PARTIAL