Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-7974

DmnParser and BpmnParser are vulnerable to XXE processing

    XMLWordPrintable

    Details

    • Type: Bug Report
    • Status: Closed
    • Priority: L3 - Default
    • Resolution: Fixed
    • Affects Version/s: 7.6.0
    • Fix Version/s: 7.8.0, 7.8.0-alpha1
    • Component/s: bpmn model api, dmn-engine
    • Labels:
      None
    • Environment:
      Camunda engine version 7.6.0

      Description

      When XML External Entities are processed, an attacker can get access to the file system of the machine hosting the camunda engine. Additionally HTTP and FTP requests can be executed.
      This processing is executed while the XML is parsed.

      To disable this vulnerability, the org.camunda.bpm.model.xml.impl.parser.AbstractModelParser needs to set the expandEntityReferences property of the DocumentBuilderFactory to false.

      Expected:

      • Since this feature of XML is barely used, and most time only as an attack vector, the expected default value would be "disabled"

        Attachments

          Activity

            People

            Assignee:
            roman.smirnov Smirnov Roman
            Reporter:
            robow Robert Wittek
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: