What is CVE-2017-7503?

CVE-2017-7503 is a critical-severity vulnerability in Red Hat, Inc. Jboss Enterprise Application Platform, classified under Improper Restriction of XML External Entity Reference (XXE). CVSS score: 9.8/10. Published 2017-05-18.

How severe is CVE-2017-7503?

Critical severity. CVSS v3 base score is 9.8 out of 10.

XXE in Red Hat, Inc. Jboss Enterprise Application Platform

CVE-2017-7503

It was found that the Red Hat JBoss EAP 7.0.5 implementation of javax.xml.transform.TransformerFactory is vulnerable to XXE. An attacker could use this flaw to launch DoS or SSRF attacks, or read files from the server where EAP is deployed.

Vulnerability class: XXE (XML External Entity)

EPSS: 0.003 (54.4th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Red Hat, Inc. Jboss Enterprise Application Platform — versions 7.0.5
Redhat Jboss_enterprise_application_platform — versions 7.0.5

Weakness classification (CWE)

CWE-611 — Improper Restriction of XML External Entity Reference (XXE)

References

secalert@redhat.com (VDB Entry, Third Party Advisory, vdb-entry, x_refsource_BID)
secalert@redhat.com (x_refsource_CONFIRM, VDB Entry, Third Party Advisory, Issue Tracking)

Frequently asked questions

What is CVE-2017-7503?: CVE-2017-7503 is a critical-severity vulnerability in Red Hat, Inc. Jboss Enterprise Application Platform, classified under Improper Restriction of XML External Entity Reference (XXE). CVSS score: 9.8/10. Published 2017-05-18.
How severe is CVE-2017-7503?: Critical severity. CVSS v3 base score is 9.8 out of 10.