Description
An administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not limited to file read, file write, and code execution.
Remediation
References
https://syncope.apache.org/security#CVE-2018-17186:_XXE_on_BPMN_definitions
Related Vulnerabilities
CVE-2021-42697 Vulnerability in maven package com.typesafe.akka:akka-http-core_2.13
CVE-2019-3875 Vulnerability in maven package org.keycloak:keycloak-server-spi-private
CVE-2021-21623 Vulnerability in maven package org.jenkins-ci.plugins:matrix-auth
CVE-2021-21617 Vulnerability in maven package org.jenkins-ci.plugins: configurationslicing
CVE-2020-28470 Vulnerability in npm package @scullyio/scully