CVE-2015-1818 - XML external entity (XXE) vulnerability in the dashbuilder import facility (DocumentBuilders in org.

CVE-2015-1818

Summary

XML external entity (XXE) vulnerability in the dashbuilder import facility (DocumentBuilders in org.jboss.dashboard.export.ImportManagerImpl) in Red Hat JBoss BPM Suite before 6.1.2 allows remote attackers to read arbitrary files, conduct server-side request forgery (SSRF) attacks, and have other unspecified impact via a crafted XML document. <a href="http://cwe.mitre.org/data/definitions/611.html">CWE-611: Improper Restriction of XML External Entity Reference ('XXE')</a>

References

Vulnerable Configurations

cpe:2.3:a:redhat:jboss_bpm_suite:6.0.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_bpm_suite:6.0.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_bpm_suite:6.0.1:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_bpm_suite:6.0.1:*:*:*:*:*:*:*

CVSS

Base:	7.5 (as of 05-01-2018 - 02:30)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:P/A:P

redhat via4

advisories

rhsa
id RHSA-2015:1539
rhsa
id RHSA-2015:1704

refmap via4

Last major update

05-01-2018 - 02:30

Published

11-08-2015 - 14:59

Last modified

05-01-2018 - 02:30