CVE-2020-36640: 
Java vulnerability analysis and mitigation

A vulnerability was discovered in bonitasoft bonita-connector-webservice up to version 1.3.0, identified as CVE-2020-36640. The vulnerability is related to XML External Entity (XXE) attacks, where access to external entities and network access were not properly disabled (GitHub PR, GitHub Commit).

The vulnerability was classified as an XML External Entity (XXE) issue (CWE-611). The security flaw existed in the XML processing components where external entity access and network access controls were not properly implemented. The issue was fixed by disabling access to external entities and network access through the addition of security attributes XMLConstants.ACCESSEXTERNALDTD and XMLConstants.ACCESSEXTERNALSCHEMA (GitHub Commit).

The vulnerability could potentially allow attackers to perform XXE attacks, which might lead to unauthorized access to internal files, server-side request forgery (SSRF), denial of service, or other system compromises (GitHub PR).

The vulnerability was fixed in version 1.3.1 of bonita-connector-webservice. Users should upgrade to this version or later to protect against XXE attacks. The fix includes implementing proper security controls by disabling access to external entities and network access in XML processing (GitHub Release).