An XXE vulnerability was found in BPM 7.1.0 when XmlUtils class in org.jbpm.migration package is parsing crafted XML files with DocumentBuilder that is wrongly configured.
Acknowledgments: Name: Man Yue Mo (Semmle)
Upstream commit: https://github.com/kiegroup/jbpm-designer/commit/a143f3b92a6a5a527d929d68c02a0c5d914ab81d
This issue has been addressed in the following products: Red Hat JBoss BPM Suite Via RHSA-2017:3355 https://access.redhat.com/errata/RHSA-2017:3355
This issue has been addressed in the following products: Red Hat JBoss BRMS Via RHSA-2017:3354 https://access.redhat.com/errata/RHSA-2017:3354