OpenCVE

XML external entity (XXE) vulnerability in Drools and jBPM before 6.2.0 allows remote attackers to read arbitrary files or possibly have other unspecified impact via a crafted BPMN2 file.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Redhat	Drools Jboss Bpms Jboss Brms Jbpm

Configuration 1 [-]

OR	cpe:2.3:a:redhat:drools::::::::
	cpe:2.3:a:redhat:jbpm::::::::

Package	CPE	Advisory	Released Date
Red Hat JBoss BPMS 6.0
jbpm	cpe:/a:redhat:jboss_bpms:6.0	RHSA-2015:0851	2015-04-16T00:00:00Z
Red Hat JBoss BRMS 6.0
jbpm	cpe:/a:redhat:jboss_brms:6.0	RHSA-2015:0850	2015-04-16T00:00:00Z

References

Link	Providers
http://rhn.redhat.com/errata/RHSA-2015-0850.html
http://rhn.redhat.com/errata/RHSA-2015-0851.html
https://bugzilla.redhat.com/show_bug.cgi?id=1169553
https://github.com/droolsjbpm/drools/commit/c48464c3b246e6ef0d4cd0dbf67e83ccd532c6d3
https://github.com/droolsjbpm/jbpm/commit/713e8073ecf45623cfc5c918c5cbf700203f46e5
https://nvd.nist.gov/vuln/detail/CVE-2014-8125
https://www.cve.org/CVERecord?id=CVE-2014-8125

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2015-04-21T17:00:00

Updated: 2024-08-06T13:10:50.745Z

Reserved: 2014-10-10T00:00:00

Link: CVE-2014-8125

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2015-04-21T17:59:02.603

Modified: 2015-05-26T17:56:16.943

Link: CVE-2014-8125

Redhat

Severity : Moderate

Publid Date: 2014-12-22T00:00:00Z

Links: CVE-2014-8125 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-12-22T00:00:00", "descriptions": [{"lang": "en", "value": "XML external entity (XXE) vulnerability in Drools and jBPM before 6.2.0 allows remote attackers to read arbitrary files or possibly have other unspecified impact via a crafted BPMN2 file."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2015-04-21T16:57:00", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1169553"}, {"name": "RHSA-2015:0850", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0850.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/droolsjbpm/jbpm/commit/713e8073ecf45623cfc5c918c5cbf700203f46e5"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/droolsjbpm/drools/commit/c48464c3b246e6ef0d4cd0dbf67e83ccd532c6d3"}, {"name": "RHSA-2015:0851", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0851.html"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T13:10:50.745Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1169553"}, {"name": "RHSA-2015:0850", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0850.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/droolsjbpm/jbpm/commit/713e8073ecf45623cfc5c918c5cbf700203f46e5"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/droolsjbpm/drools/commit/c48464c3b246e6ef0d4cd0dbf67e83ccd532c6d3"}, {"name": "RHSA-2015:0851", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0851.html"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2014-8125", "datePublished": "2015-04-21T17:00:00", "dateReserved": "2014-10-10T00:00:00", "dateUpdated": "2024-08-06T13:10:50.745Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:drools:*:*:*:*:*:*:*:*", "matchCriteriaId": "957BA818-ECDF-44F3-B4D8-597BD245AF3B", "versionEndIncluding": "6.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jbpm:*:*:*:*:*:*:*:*", "matchCriteriaId": "7C4C5475-C380-400B-8B50-12F8AA49708D", "versionEndIncluding": "6.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "XML external entity (XXE) vulnerability in Drools and jBPM before 6.2.0 allows remote attackers to read arbitrary files or possibly have other unspecified impact via a crafted BPMN2 file."}, {"lang": "es", "value": "Vulnerabilidad de entidad externa XML (XXE) en Drools and jBPM anterior a 6.2.0 permite a atacantes remotos leer ficheros arbitrarios o posiblemente tener otro impacto no especificado a trav\u00e9s de un fichero BPMN2 manipulado."}], "evaluatorComment": "<a href=\"http://cwe.mitre.org/data/definitions/611.html\">CWE-611: Improper Restriction of XML External Entity Reference ('XXE')</a>", "id": "CVE-2014-8125", "lastModified": "2015-05-26T17:56:16.943", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-04-21T17:59:02.603", "references": [{"source": "secalert@redhat.com", "url": "http://rhn.redhat.com/errata/RHSA-2015-0850.html"}, {"source": "secalert@redhat.com", "url": "http://rhn.redhat.com/errata/RHSA-2015-0851.html"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1169553"}, {"source": "secalert@redhat.com", "url": "https://github.com/droolsjbpm/drools/commit/c48464c3b246e6ef0d4cd0dbf67e83ccd532c6d3"}, {"source": "secalert@redhat.com", "url": "https://github.com/droolsjbpm/jbpm/commit/713e8073ecf45623cfc5c918c5cbf700203f46e5"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "This issue was discovered by Jeremy Lindop (Red Hat).", "affected_release": [{"advisory": "RHSA-2015:0851", "cpe": "cpe:/a:redhat:jboss_bpms:6.0", "package": "jbpm", "product_name": "Red Hat JBoss BPMS 6.0", "release_date": "2015-04-16T00:00:00Z"}, {"advisory": "RHSA-2015:0850", "cpe": "cpe:/a:redhat:jboss_brms:6.0", "package": "jbpm", "product_name": "Red Hat JBoss BRMS 6.0", "release_date": "2015-04-16T00:00:00Z"}], "bugzilla": {"description": "jBPM: BPMN2 file processing XXE in Process Execution", "id": "1169553", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1169553"}, "csaw": false, "cvss": {"cvss_base_score": "5.0", "cvss_scoring_vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status": "verified"}, "cwe": "CWE-611", "details": ["XML external entity (XXE) vulnerability in Drools and jBPM before 6.2.0 allows remote attackers to read arbitrary files or possibly have other unspecified impact via a crafted BPMN2 file.", "It was discovered that the jBPM runtime performed expansion of external parameter entities while executing BPMN2 files. A remote attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XML eXternal Entity (XXE) attacks."], "name": "CVE-2014-8125", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:5", "fix_state": "Will not fix", "package_name": "jbpm", "product_name": "Red Hat JBoss BRMS 5"}, {"cpe": "cpe:/a:redhat:jboss_data_virtualization:6", "fix_state": "Affected", "package_name": "jbpm", "product_name": "Red Hat JBoss Data Virtualization 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5", "fix_state": "Will not fix", "package_name": "jbpm", "product_name": "Red Hat JBoss Enterprise Application Platform 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Affected", "package_name": "fuse-6", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Will not fix", "package_name": "fuse-esb-7", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Affected", "package_name": "jbpm", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:4", "fix_state": "Will not fix", "package_name": "jbpm", "product_name": "Red Hat JBoss SOA Platform 4"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:5", "fix_state": "Will not fix", "package_name": "jbpm", "product_name": "Red Hat JBoss SOA Platform 5"}], "public_date": "2014-12-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2014-8125\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-8125"], "statement": "Red Hat JBoss BRMS 5; Red Hat JBoss Enterprise Application Platform 5; and Red Hat JBoss Enterprise SOA Platform 4 and 5 are now in Phase 3, Extended Life Support, of their respective life cycles. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/", "threat_severity": "Moderate"}