Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2017-7465

It was found that the JAXP implementation used in JBoss EAP 7.0 for XSLT processing is vulnerable to code injection. An attacker could use this flaw to cause remote code execution if they are able to provide XSLT content for parsing. Doing a transform in JAXP requires the use of a 'javax.xml.transform.TransformerFactory'. If the FEATURE_SECURE_PROCESSING feature is set to 'true', it mitigates this vulnerability.

Published

2018-06-27T16:29:00.207

Last Modified

2024-11-21T03:31:57.447

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 9.0 (CRITICAL)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

10.0

Impact Score

6.4

Weaknesses

Type: Primary
CWE-611
Type: Secondary
CWE-94

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	redhat	jboss_enterprise_application_platform	7.0.0	Yes

References

http://www.securityfocus.com/bid/97605 Third Party Advisory, VDB Entry ([email protected])
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7465 Issue Tracking, Mitigation, Third Party Advisory ([email protected])
http://www.securityfocus.com/bid/97605 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7465 Issue Tracking, Mitigation, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)