CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1694 vulnerabilities reference this CWE, most recent first.
GHSA-Q6PR-2FQ6-V4RV
Vulnerability from github – Published: 2022-05-24 16:52 – Updated: 2024-04-04 01:34The Transition Technologies "The Scheduler" app 5.1.3 for Jira allows XXE due to a weakly configured/parameterized XML parser. It was fixed in the versions 5.2.1 and 3.3.7
{
"affected": [],
"aliases": [
"CVE-2018-14383"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-07T15:15:00Z",
"severity": "HIGH"
},
"details": "The Transition Technologies \"The Scheduler\" app 5.1.3 for Jira allows XXE due to a weakly configured/parameterized XML parser. It was fixed in the versions 5.2.1 and 3.3.7",
"id": "GHSA-q6pr-2fq6-v4rv",
"modified": "2024-04-04T01:34:40Z",
"published": "2022-05-24T16:52:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14383"
},
{
"type": "WEB",
"url": "https://marketplace.atlassian.com/apps/37456/the-scheduler?hosting=server\u0026tab=versions"
},
{
"type": "WEB",
"url": "https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2018-022_jira_plugin_the_scheduler.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q723-3768-2877
Vulnerability from github – Published: 2022-05-14 03:10 – Updated: 2022-05-14 03:10The Java implementation of AMF3 deserializers used by WebORB for Java by Midnight Coders, version 5.1.1.0, allows external entity references (XXEs) from XML documents embedded within AMF3 messages. If the XML parsing is handled incorrectly it could potentially expose sensitive data on the server, denial of service, or server side request forgery.
{
"affected": [],
"aliases": [
"CVE-2017-3208"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-06-11T17:29:00Z",
"severity": "CRITICAL"
},
"details": "The Java implementation of AMF3 deserializers used by WebORB for Java by Midnight Coders, version 5.1.1.0, allows external entity references (XXEs) from XML documents embedded within AMF3 messages. If the XML parsing is handled incorrectly it could potentially expose sensitive data on the server, denial of service, or server side request forgery.",
"id": "GHSA-q723-3768-2877",
"modified": "2022-05-14T03:10:11Z",
"published": "2022-05-14T03:10:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-3208"
},
{
"type": "WEB",
"url": "https://codewhitesec.blogspot.com/2017/04/amf.html"
},
{
"type": "WEB",
"url": "https://www.kb.cert.org/vuls/id/307983"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/97384"
},
{
"type": "WEB",
"url": "http://www.securityweek.com/flaws-java-amf-libraries-allow-remote-code-execution"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q74F-RF27-8HXC
Vulnerability from github – Published: 2023-10-31 00:31 – Updated: 2023-11-06 16:34An issue in OpenCRX v.5.2.2 allows a remote attacker to execute arbitrary code via a crafted request.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.opencrx:opencrx-client"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-46502"
],
"database_specific": {
"cwe_ids": [
"CWE-611",
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2023-11-01T17:14:19Z",
"nvd_published_at": "2023-10-30T23:15:08Z",
"severity": "CRITICAL"
},
"details": "An issue in OpenCRX v.5.2.2 allows a remote attacker to execute arbitrary code via a crafted request.",
"id": "GHSA-q74f-rf27-8hxc",
"modified": "2023-11-06T16:34:04Z",
"published": "2023-10-31T00:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46502"
},
{
"type": "WEB",
"url": "https://github.com/opencrx/opencrx/commit/ce7a71db0bb34ecbcb0e822d40598e410a48b399"
},
{
"type": "WEB",
"url": "https://gist.github.com/spookhorror/9519fc66d3946e887e4a86c06ddbee0e"
},
{
"type": "PACKAGE",
"url": "https://github.com/opencrx/opencrx"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "OpenCRX allows a remote attacker to execute arbitrary code via a crafted request"
}
GHSA-Q74V-WMPG-RR8Q
Vulnerability from github – Published: 2022-05-24 16:49 – Updated: 2024-04-04 01:12lib/DocumentToText.php in OpenCats before 0.9.4-3 has XXE that allows remote users to read files on the underlying operating system.
{
"affected": [],
"aliases": [
"CVE-2019-13358"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-05T21:15:00Z",
"severity": "HIGH"
},
"details": "lib/DocumentToText.php in OpenCats before 0.9.4-3 has XXE that allows remote users to read files on the underlying operating system.",
"id": "GHSA-q74v-wmpg-rr8q",
"modified": "2024-04-04T01:12:23Z",
"published": "2022-05-24T16:49:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13358"
},
{
"type": "WEB",
"url": "https://github.com/opencats/OpenCATS/pull/440"
},
{
"type": "WEB",
"url": "https://doddsecurity.com/312/xml-external-entity-injection-xxe-in-opencats-applicant-tracking-system"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/164253/OpenCats-0.9.4-2-XML-Injection.html"
},
{
"type": "WEB",
"url": "http://www.opencats.org/news"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q7XG-HH3Q-HC68
Vulnerability from github – Published: 2022-05-24 17:48 – Updated: 2023-10-27 14:19Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers with the ability to define Maven configuration files to have Jenkins parse a crafted configuration file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
Jenkins Config File Provider Plugin 3.7.1 disables external entity resolution for its XML parser.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.7.0"
},
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:config-file-provider"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.7.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-21642"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-13T19:17:13Z",
"nvd_published_at": "2021-04-21T15:15:00Z",
"severity": "HIGH"
},
"details": "Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.\n\nThis allows attackers with the ability to define Maven configuration files to have Jenkins parse a crafted configuration file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.\n\nJenkins Config File Provider Plugin 3.7.1 disables external entity resolution for its XML parser.",
"id": "GHSA-q7xg-hh3q-hc68",
"modified": "2023-10-27T14:19:48Z",
"published": "2022-05-24T17:48:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21642"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/config-file-provider-plugin/commit/5f845bc015be769e595088bab11ec36c767671e1"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/config-file-provider-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2021-04-21/#SECURITY-2204"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/04/21/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "XML External Entity Reference vulnerability in Jenkins Config File Provider Plugin"
}
GHSA-Q876-XVXF-R2H2
Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-05-13 01:36The NetIQ Identity Manager Plugins before 4.6.1 contained various XML External XML Entity (XXE) handling flaws that could be used by attackers to leak information or cause denial of service attacks.
{
"affected": [],
"aliases": [
"CVE-2017-7426"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-03-01T20:29:00Z",
"severity": "CRITICAL"
},
"details": "The NetIQ Identity Manager Plugins before 4.6.1 contained various XML External XML Entity (XXE) handling flaws that could be used by attackers to leak information or cause denial of service attacks.",
"id": "GHSA-q876-xvxf-r2h2",
"modified": "2022-05-13T01:36:22Z",
"published": "2022-05-13T01:36:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7426"
},
{
"type": "WEB",
"url": "https://www.novell.com/support/kb/doc.php?id=7021173"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q87H-3PPQ-WWF5
Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-10-19 19:00An XML external entity (XXE) vulnerability in Avaya WebLM admin interface allows authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. Affected versions of Avaya WebLM include: 7.0 through 7.1.3.6 and 8.0 through 8.1.2.
{
"affected": [],
"aliases": [
"CVE-2020-7032"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-13T01:15:00Z",
"severity": "MODERATE"
},
"details": "An XML external entity (XXE) vulnerability in Avaya WebLM admin interface allows authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. Affected versions of Avaya WebLM include: 7.0 through 7.1.3.6 and 8.0 through 8.1.2.",
"id": "GHSA-q87h-3ppq-wwf5",
"modified": "2022-10-19T19:00:24Z",
"published": "2022-05-24T17:34:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7032"
},
{
"type": "WEB",
"url": "https://downloads.avaya.com/css/P8/documents/101072249"
},
{
"type": "WEB",
"url": "https://sec-consult.com/vulnerability-lab/advisory/blind-out-of-band-xml-external-entity-injection-in-avaya-web-license-manager"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/160123/Avaya-Web-License-Manager-XML-Injection.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2020/Nov/31"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q8X7-F6F7-8J2H
Vulnerability from github – Published: 2022-05-24 17:10 – Updated: 2024-04-04 02:49SAP NetWeaver Application Server Java (User Management Engine), versions- 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; does not sufficiently validate the LDAP data source configuration XML document accepted from an untrusted source, leading to Missing XML Validation.
{
"affected": [],
"aliases": [
"CVE-2020-6202"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-03-10T21:15:00Z",
"severity": "HIGH"
},
"details": "SAP NetWeaver Application Server Java (User Management Engine), versions- 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; does not sufficiently validate the LDAP data source configuration XML document accepted from an untrusted source, leading to Missing XML Validation.",
"id": "GHSA-q8x7-f6f7-8j2h",
"modified": "2024-04-04T02:49:10Z",
"published": "2022-05-24T17:10:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6202"
},
{
"type": "WEB",
"url": "https://launchpad.support.sap.com/#/notes/2847787"
},
{
"type": "WEB",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=540935305"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q9CP-MC96-M4W2
Vulnerability from github – Published: 2020-11-23 21:18 – Updated: 2024-02-05 11:16Problem
It has been discovered that RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability with current PHP versions of supported and maintained system distributions.
At least with libxml2 version 2.9, the processing of XML external entities is disabled per default - and cannot be exploited. Besides that, a valid backend user account is needed.
Solution
Update to TYPO3 version 10.4.10 that fixes the problem described.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-core"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.4.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.4.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-26229"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2020-11-23T21:16:32Z",
"nvd_published_at": "2020-11-23T22:15:12Z",
"severity": "LOW"
},
"details": "### Problem\nIt has been discovered that RSS widgets are susceptible to XML external entity processing.\nThis vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability with current PHP versions of supported and maintained system distributions.\n\nAt least with _libxml2_ version 2.9, the processing of XML external entities is disabled per default - and cannot be exploited. Besides that, a valid backend user account is needed.\n\n### Solution\nUpdate to TYPO3 version 10.4.10 that fixes the problem described.",
"id": "GHSA-q9cp-mc96-m4w2",
"modified": "2024-02-05T11:16:11Z",
"published": "2020-11-23T21:18:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-q9cp-mc96-m4w2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26229"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-26229.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-26229.yaml"
},
{
"type": "WEB",
"url": "https://typo3.org/security/advisory/typo3-core-sa-2020-012"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "XML External Entity in Dashboard Widget"
}
GHSA-Q9GV-R7Q5-76R2
Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2022-05-13 01:14IBM Security Access Manager for Web is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources.
{
"affected": [],
"aliases": [
"CVE-2016-3027"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-02-01T20:59:00Z",
"severity": "MODERATE"
},
"details": "IBM Security Access Manager for Web is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources.",
"id": "GHSA-q9gv-r7q5-76r2",
"modified": "2022-05-13T01:14:04Z",
"published": "2022-05-13T01:14:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-3027"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=swg21994440"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/96127"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.