CVE-2014-3682
First published: Wed Oct 01 2014(Updated: )
An XXE flaw was found in the jbpm-designer BPMN2 import function. A remote attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Redhat Jbpm-designer | =6.0.0 | |
| Redhat Jbpm-designer | =6.0.1 | |
| Redhat Jbpm-designer | =6.2.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/droolsjbpm/jbpm-designer/commit/382e43a6a203c547b91eca41dc213da98fdbf3a6
- https://github.com/droolsjbpm/jbpm-designer/commit/69d8f6b7a099594bd0536f88d528753875857088
- https://github.com/droolsjbpm/droolsjbpm-integration/commit/c04255ecbfcc2a50b3ed9407f4fd4570309ac214
- https://github.com/droolsjbpm/droolsjbpm-integration/commit/ef500fd8b6d6b84313daa37276dc403f359c2fff
- https://github.com/droolsjbpm/jbpm-designer/commit/5641588c730cc75dc3b76c34b76271fbd407fb84
- https://github.com/droolsjbpm/jbpm-designer/commit/be3968d51299f6de0011324be60223ede49ecb1c
- https://github.com/droolsjbpm/droolsjbpm-integration/commit/2d2074a00d16ad0bb177dbd473c423898b83eb7b
- https://github.com/droolsjbpm/droolsjbpm-integration/commit/8a3862ba41d730dcc8a76ae0d86d63c75fd30295
- https://rhn.redhat.com/errata/RHSA-2015-0235.html
- https://rhn.redhat.com/errata/RHSA-2015-0234.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1148260
- http://rhn.redhat.com/errata/RHSA-2015-0234.html
- http://rhn.redhat.com/errata/RHSA-2015-0235.html
- https://github.com/droolsjbpm/jbpm-designer/commit/e4691214a100718c3b1c9b93d4db466672ba0be3
Frequently Asked Questions
What is the severity of CVE-2014-3682?
CVE-2014-3682 has been assigned a severity level that indicates a significant security risk due to the potential for file read access and advanced XXE attacks.
How do I fix CVE-2014-3682?
To fix CVE-2014-3682, you should update to a patched version of the jbpm-designer, specifically versions later than 6.2.0.
What types of attacks can be executed through CVE-2014-3682?
An attacker can exploit CVE-2014-3682 to perform XXE attacks, potentially leading to unauthorized file access on the server.
Which versions of Redhat Jbpm-designer are affected by CVE-2014-3682?
CVE-2014-3682 affects Redhat jbpm-designer versions 6.0.0, 6.0.1, and 6.2.0.
Who is primarily affected by CVE-2014-3682?
Users and administrators of the jbpm-designer application who run it on servers with accessible file systems are primarily affected by CVE-2014-3682.
- collector/redhat-bugzilla
- alias/CVE-2014-3682
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/references
- agent/last-modified-date
- agent/author
- agent/tags
- agent/description
- agent/event
- agent/source
- vendor/redhat
- canonical/redhat jbpm-designer
- version/redhat jbpm-designer/6.0.0
- version/redhat jbpm-designer/6.0.1
- version/redhat jbpm-designer/6.2.0