When XML External Entities are processed, an attacker can get access to the file system of the machine hosting the camunda engine. Additionally HTTP and FTP requests can be executed.
This processing is executed while the XML is parsed.
To disable this vulnerability, the org.camunda.bpm.model.xml.impl.parser.AbstractModelParser needs to set the expandEntityReferences property of the DocumentBuilderFactory to false.
- Since this feature of XML is barely used, and most time only as an attack vector, the expected default value would be "disabled"