CVE-2018-17186

An administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not limited to file read, file write, and code execution.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.2 HIGH
NETWORK
LOW
HIGH
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
apacheCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 68%
VendorProductVersion
apachesyncope
2.0.0 ≤
𝑥
≤ 2.0.11
apachesyncope
2.1.0 ≤
𝑥
≤ 2.1.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://syncope.apache.org/security#CVE-2018-17186:_XXE_on_BPMN_definitions
https://syncope.apache.org/security#CVE-2018-17186:_XXE_on_BPMN_definitions