CVE-2017-7465

CVSS 9 CRITICALEPSS 3.0%CWE-611

Vexday Risk Score

28Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 9EPSS 3.0%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

27 Jun 2018Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

It was found that the JAXP implementation used in JBoss EAP 7.0 for XSLT processing is vulnerable to code injection. An attacker could use this flaw to cause remote code execution if they are able to provide XSLT content for parsing. Doing a transform in JAXP requires the use of a 'javax.xml.transform.TransformerFactory'. If the FEATURE_SECURE_PROCESSING feature is set to 'true', it mitigates this vulnerability.

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected products

[UNKNOWN] · jboss

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7465 http://www.securityfocus.com/bid/97605