Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-7974

DmnParser and BpmnParser are vulnerable to XXE processing

XMLWordPrintable

    • Icon: Bug Report Bug Report
    • Resolution: Fixed
    • Icon: L3 - Default L3 - Default
    • 7.8.0, 7.8.0-alpha1
    • 7.6.0
    • bpmn model api, dmn-engine
    • None
    • Camunda engine version 7.6.0

      When XML External Entities are processed, an attacker can get access to the file system of the machine hosting the camunda engine. Additionally HTTP and FTP requests can be executed.
      This processing is executed while the XML is parsed.

      To disable this vulnerability, the org.camunda.bpm.model.xml.impl.parser.AbstractModelParser needs to set the expandEntityReferences property of the DocumentBuilderFactory to false.

      Expected:

      • Since this feature of XML is barely used, and most time only as an attack vector, the expected default value would be "disabled"

        This is the controller panel for Smart Panels app

              roman.smirnov Roman Smirnov
              robow Robert Wittek
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: