CVE-2014-3682

Name of the Vulnerable Software and Affected Versions jbpm-designer versions 6.0.x through 6.2.x

Description The issue allows remote attackers to read arbitrary files and possibly have other unspecified impact by importing a crafted BPMN2 file, due to an XML external entity (XXE) vulnerability in the JBPMBpmn2ResourceImpl function.

Recommendations For versions 6.0.x through 6.2.x, consider disabling the JBPMBpmn2ResourceImpl function until a patch is available to prevent the import of crafted BPMN2 files. Restrict access to the bpmn2/resource/JBPMBpmn2ResourceImpl.java module to minimize the risk of exploitation. Avoid using the function to import untrusted BPMN2 files until the issue is resolved.