CVE-2017-7464 β€” XML External Entity (XXE) Injection in Redhat Jboss Enterprise Application Platform

CWE-611 β€” XML External Entity (XXE) Injection5 documents5 sources
Severity
9.8CRITICALNVD
CNA8.7
EPSS
0.5%
top 32.56%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Redhat Jboss Enterprise Application Platform
Timeline
PublishedJul 27
Latest updateMay 13

Description

It was found that the JAXP implementation used in JBoss EAP 7.0 for SAX and DOM parsing is vulnerable to certain XXE flaws. An attacker could use this flaw to cause DoS, SSRF, or information disclosure if they are able to provide XML content for parsing.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

πŸ”΄Vulnerability Details

2
GHSA
GHSA-9x6m-hc4p-vjq7: It was found that the JAXP implementation used in JBoss EAP 7β†—2022-05-13
β–Ά
CVEList
CVE-2017-7464: It was found that the JAXP implementation used in JBoss EAP 7β†—2018-07-27
β–Ά

πŸ“‹Vendor Advisories

1
Red Hat
JBoss: JAXP in EAP 7.0 allows info disclosure via XXE↗2017-05-11
β–Ά

πŸ’¬Community

1
Bugzilla
CVE-2017-7464 JBoss: JAXP in EAP 7.0 allows info disclosure via XXE↗2017-04-06
β–Ά
CVE-2017-7464 β€” XML External Entity (XXE) Injection | cvebase