Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-7974

DmnParser and BpmnParser are vulnerable to XXE processing

    XMLWordPrintable

Details

    • Bug Report
    • Status: Closed
    • L3 - Default
    • Resolution: Fixed
    • 7.6.0
    • 7.8.0, 7.8.0-alpha1
    • bpmn model api, dmn-engine
    • None
    • Camunda engine version 7.6.0

    Description

      When XML External Entities are processed, an attacker can get access to the file system of the machine hosting the camunda engine. Additionally HTTP and FTP requests can be executed.
      This processing is executed while the XML is parsed.

      To disable this vulnerability, the org.camunda.bpm.model.xml.impl.parser.AbstractModelParser needs to set the expandEntityReferences property of the DocumentBuilderFactory to false.

      Expected:

      • Since this feature of XML is barely used, and most time only as an attack vector, the expected default value would be "disabled"

      mgm-controller-panel

        This is the controller panel for Smart Panels app

        Attachments

          Activity

            People

              roman.smirnov Roman Smirnov
              robow Robert Wittek
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Salesforce