CVE-2014-3682

jbpm-designer: XXE in BPMN2 import

Severity Score

7.3

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

XML external entity (XXE) vulnerability in the JBPMBpmn2ResourceImpl function in designer/bpmn2/resource/JBPMBpmn2ResourceImpl.java in jbpm-designer 6.0.x and 6.2.x allows remote attackers to read arbitrary files and possibly have other unspecified impact by importing a crafted BPMN2 file.

Vulnerabilidad de entidad externa XML (XXE) en la función JBPMBpmn2ResourceImpl en designer/bpmn2/resource/JBPMBpmn2ResourceImpl.java en jbpm-designer 6.0.x y 6.2.x permite a atacantes remotos leer ficheros arbitrarios y posiblemenete tener otro impacto no especificado mediante la importación de un fichero BPMN2 manipulado.

An XML External Entity (XXE) flaw was found in the jbpm-designer BPMN2 import function. A remote attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.

Red Hat JBoss BPM Suite is a business rules and processes management system for the management, storage, creation, modification, and deployment of JBoss rules and BPMN2-compliant business processes. This roll up patch serves as a cumulative upgrade for Red Hat JBoss BPM Suite 6.0.3, and includes bug fixes and enhancements. It includes various bug fixes, which are listed in the README file included with the patch files.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2014-05-14 CVE Reserved
2015-02-17 CVE Published
2024-08-06 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-611: Improper Restriction of XML External Entity Reference

CAPEC

References (8)

URL	Tag	Source
https://github.com/droolsjbpm/jbpm-designer/commit/5641588c730cc75dc3b76c34b76271fbd407fb84	X_refsource_confirm
https://github.com/droolsjbpm/jbpm-designer/commit/69d8f6b7a099594bd0536f88d528753875857088	X_refsource_confirm
https://github.com/droolsjbpm/jbpm-designer/commit/be3968d51299f6de0011324be60223ede49ecb1c	X_refsource_confirm
https://github.com/droolsjbpm/jbpm-designer/commit/e4691214a100718c3b1c9b93d4db466672ba0be3	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
http://rhn.redhat.com/errata/RHSA-2015-0234.html	2015-03-24
http://rhn.redhat.com/errata/RHSA-2015-0235.html	2015-03-24
https://access.redhat.com/security/cve/CVE-2014-3682	2015-02-17
https://bugzilla.redhat.com/show_bug.cgi?id=1148260	2015-02-17

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Redhat Search vendor "Redhat"		Jbpm-designer Search vendor "Redhat" for product "Jbpm-designer"				6.0.0 Search vendor "Redhat" for product "Jbpm-designer" and version "6.0.0"		-		Affected
Redhat Search vendor "Redhat"		Jbpm-designer Search vendor "Redhat" for product "Jbpm-designer"				6.0.1 Search vendor "Redhat" for product "Jbpm-designer" and version "6.0.1"		-		Affected
Redhat Search vendor "Redhat"		Jbpm-designer Search vendor "Redhat" for product "Jbpm-designer"				6.2.0 Search vendor "Redhat" for product "Jbpm-designer" and version "6.2.0"		-		Affected