Main Vulnerability Database Vulnerabilities #VU38972

XML External Entity injection in JBoss Enterprise Application Platform - CVE-2017-7503

Published: May 18, 2017 / Updated: August 8, 2020

Vulnerability identifier: #VU38972

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2017-7503

CWE-ID: CWE-611

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Red Hat Inc.

Affected software:
JBoss Enterprise Application Platform

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

It was found that the Red Hat JBoss EAP 7.0.5 implementation of javax.xml.transform.TransformerFactory is vulnerable to XXE. An attacker could use this flaw to launch DoS or SSRF attacks, or read files from the server where EAP is deployed.

How to mitigate CVE-2017-7503

Install update from vendor's website.

Sources

http://www.securityfocus.com/bid/98546
https://bugzilla.redhat.com/show_bug.cgi?id=1451960

XML External Entity injection in JBoss Enterprise Application Platform - CVE-2017-7503

Detailed vulnerability description

How to mitigate CVE-2017-7503

Sources

Please verify you're human