CVSS v3 metrics
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
|CVSS3 Base Score||7.5|
|CVSS3 Base Metrics||CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:H|
Affected Packages State
|Red Hat JBoss EAP 7||XML Frameworks||Fix deferred|
AcknowledgementsThis issue was discovered by Jason Shepherd (Red Hat Product Security) and Katerina Novotna (Red Hat Quality Engineering).
This issue affects processing of XML content from an untrusted source using a javax.xml.transform.TransformerFactory. The only safe way to process untrusted XML content with a TransformerFactory is to use the StAX API. StAX is a safe implementation on EAP 7.0.x because the XML content is not read in it's entirety in order to parse it. As a developer using StAX, you decide which XML stream events you want to react to, so XXE control constructs won't be processed automatically by the parser.