Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1694 vulnerabilities reference this CWE, most recent first.

GHSA-66Q5-CM35-PHR2

Vulnerability from github – Published: 2025-05-13 12:31 – Updated: 2025-05-13 12:31
VLAI
Details

A vulnerability has been identified in Polarion V2310 (All versions), Polarion V2404 (All versions < V2404.4). The affected application contains a XML External Entity Injection (XXE) vulnerability in the docx import feature. This could allow an authenticated remote attacker to read arbitrary data from the application server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-51445"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-13T10:15:21Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability has been identified in Polarion V2310 (All versions), Polarion V2404 (All versions \u003c V2404.4). The affected application contains a XML External Entity Injection (XXE) vulnerability in the docx import feature. This could allow an authenticated remote attacker to read arbitrary data from the application server.",
  "id": "GHSA-66q5-cm35-phr2",
  "modified": "2025-05-13T12:31:35Z",
  "published": "2025-05-13T12:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51445"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-162255.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-66X9-6GMR-H34W

Vulnerability from github – Published: 2022-05-24 17:14 – Updated: 2022-10-06 18:52
VLAI
Details

SAP Commerce, versions - 6.6, 6.7, 1808, 1811, 1905, does not process XML input securely in the Rest API from Servlet xyformsweb, leading to Missing XML Validation. This affects confidentiality and availability (partially) of SAP Commerce.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-6238"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-04-14T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "SAP Commerce, versions - 6.6, 6.7, 1808, 1811, 1905, does not process XML input securely in the Rest API from Servlet xyformsweb, leading to Missing XML Validation. This affects confidentiality and availability (partially) of SAP Commerce.",
  "id": "GHSA-66x9-6gmr-h34w",
  "modified": "2022-10-06T18:52:06Z",
  "published": "2022-05-24T17:14:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6238"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.support.sap.com/#/notes/2904480"
    },
    {
      "type": "WEB",
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6755-JGP4-8Q7H

Vulnerability from github – Published: 2022-05-24 22:00 – Updated: 2022-09-09 00:45
VLAI
Summary
XML External Entity processing vulnerability in Pipeline Maven Integration Jenkins Plugin
Details

An XML external entities (XXE) vulnerability in Jenkins Pipeline Maven Integration Plugin 1.7.0 and earlier allowed attackers able to control a temporary directory's content on the agent running the Maven build to have Jenkins parse a maliciously crafted XML file that uses external entities for extraction of secrets from the Jenkins master, server-side request forgery, or denial-of-service attacks.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:pipeline-maven"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-10327"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-09T00:45:35Z",
    "nvd_published_at": "2019-05-31T15:29:00Z",
    "severity": "HIGH"
  },
  "details": "An XML external entities (XXE) vulnerability in Jenkins Pipeline Maven Integration Plugin 1.7.0 and earlier allowed attackers able to control a temporary directory\u0027s content on the agent running the Maven build to have Jenkins parse a maliciously crafted XML file that uses external entities for extraction of secrets from the Jenkins master, server-side request forgery, or denial-of-service attacks.",
  "id": "GHSA-6755-jgp4-8q7h",
  "modified": "2022-09-09T00:45:35Z",
  "published": "2022-05-24T22:00:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10327"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/pipeline-maven-plugin/commit/e7cb858852c05d2423e3fd9922a090982dcd6392"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/pipeline-maven-plugin/tree/master/pipeline-maven"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1409"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2019/05/31/2"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/108540"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XML External Entity processing vulnerability in Pipeline Maven Integration Jenkins Plugin"
}

GHSA-67M6-WGH8-4VH7

Vulnerability from github – Published: 2022-05-14 01:32 – Updated: 2022-05-14 01:32
VLAI
Details

PrinceXML, versions 10 and below, is vulnerable to XXE due to the lack of protection against external entities. If an attacker passes HTML referencing an XML file (e.g., in an IFRAME element), PrinceXML will fetch the XML and parse it, thus giving an attacker file-read access and full-fledged SSRF.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-19858"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-01-30T15:29:00Z",
    "severity": "HIGH"
  },
  "details": "PrinceXML, versions 10 and below, is vulnerable to XXE due to the lack of protection against external entities. If an attacker passes HTML referencing an XML file (e.g., in an IFRAME element), PrinceXML will fetch the XML and parse it, thus giving an attacker file-read access and full-fledged SSRF.",
  "id": "GHSA-67m6-wgh8-4vh7",
  "modified": "2022-05-14T01:32:47Z",
  "published": "2022-05-14T01:32:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19858"
    },
    {
      "type": "WEB",
      "url": "https://hacking.us.com/blog/XSS-to-XXE-in-Prince"
    },
    {
      "type": "WEB",
      "url": "https://www.lynxsecurity.io"
    },
    {
      "type": "WEB",
      "url": "https://www.youtube.com/watch?v=-7YIzYtWhzM"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-67MM-C9VQ-WPVP

Vulnerability from github – Published: 2022-05-13 01:33 – Updated: 2022-05-13 01:33
VLAI
Details

IBM Rational Engineering Lifecycle Manager 5.0 through 5.02 and 6.0 through 6.0.6 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 143797.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-1607"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-09-25T15:29:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Rational Engineering Lifecycle Manager 5.0 through 5.02 and 6.0 through 6.0.6 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 143797.",
  "id": "GHSA-67mm-c9vq-wpvp",
  "modified": "2022-05-13T01:33:05Z",
  "published": "2022-05-13T01:33:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1607"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/143797"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/docview.wss?uid=ibm10731511"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-67MV-4HJ2-XP3G

Vulnerability from github – Published: 2026-02-11 15:30 – Updated: 2026-02-11 15:30
VLAI
Details

CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause unauthorized disclosure of local files, interaction within the EBO system, or denial of service conditions when a local user uploads a specially crafted TGML graphics file to the EBO server from Workstation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-1227"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-11T14:16:02Z",
    "severity": "HIGH"
  },
  "details": "CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause unauthorized disclosure of local files, interaction within the EBO system, or denial of service conditions when a local user uploads a specially crafted TGML graphics file to the EBO server from Workstation.",
  "id": "GHSA-67mv-4hj2-xp3g",
  "modified": "2026-02-11T15:30:27Z",
  "published": "2026-02-11T15:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1227"
    },
    {
      "type": "WEB",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-041-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2026-041-02.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-67Q3-GWWW-PM4G

Vulnerability from github – Published: 2022-05-17 02:28 – Updated: 2022-11-22 18:57
VLAI
Summary
Apache OpenMeetings does not correctly validate uploaded XML documents
Details

Uploaded XML documents were not correctly validated in Apache OpenMeetings 3.1.0. The issue is fixed in version 3.3.0.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.openmeetings:openmeetings-parent"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1.0"
            },
            {
              "fixed": "3.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-7664"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-22T18:57:02Z",
    "nvd_published_at": "2017-07-17T13:18:00Z",
    "severity": "CRITICAL"
  },
  "details": "Uploaded XML documents were not correctly validated in Apache OpenMeetings 3.1.0. The issue is fixed in version 3.3.0.",
  "id": "GHSA-67q3-gwww-pm4g",
  "modified": "2022-11-22T18:57:02Z",
  "published": "2022-05-17T02:28:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7664"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/openmeetings"
    },
    {
      "type": "WEB",
      "url": "http://markmail.org/message/cwr552iapmhukb45"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/99576"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache OpenMeetings does not correctly validate uploaded XML documents"
}

GHSA-67V4-R89V-8632

Vulnerability from github – Published: 2022-05-17 03:37 – Updated: 2022-05-17 03:37
VLAI
Details

The XML parser in IBM Rational Collaborative Lifecycle Management 3.0.1.6 before iFix8, 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational Quality Manager 3.0.1.6 before iFix8, 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational Team Concert 3.0.1.6 before iFix8, 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational DOORS Next Generation 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational Engineering Lifecycle Manager 4.x before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational Rhapsody Design Manager 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; and Rational Software Architect Design Manager 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5 allows remote authenticated users to read arbitrary files or cause a denial of service via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-0284"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-11-24T19:59:00Z",
    "severity": "MODERATE"
  },
  "details": "The XML parser in IBM Rational Collaborative Lifecycle Management 3.0.1.6 before iFix8, 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational Quality Manager 3.0.1.6 before iFix8, 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational Team Concert 3.0.1.6 before iFix8, 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational DOORS Next Generation 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational Engineering Lifecycle Manager 4.x before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational Rhapsody Design Manager 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; and Rational Software Architect Design Manager 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5 allows remote authenticated users to read arbitrary files or cause a denial of service via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.",
  "id": "GHSA-67v4-r89v-8632",
  "modified": "2022-05-17T03:37:41Z",
  "published": "2022-05-17T03:37:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0284"
    },
    {
      "type": "WEB",
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21991478"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/94555"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-683X-4444-JXH8

Vulnerability from github – Published: 2024-06-24 20:44 – Updated: 2024-06-28 18:58
VLAI
Summary
Improper Restriction of XML External Entity Reference in org.cyclonedx:cyclonedx-core-java
Details

Impact

Before deserializing CycloneDX Bill of Materials in XML format, cyclonedx-core-java leverages XPath expressions to determine the schema version of the BOM. The DocumentBuilderFactory used to evaluate XPath expressions was not configured securely, making the library vulnerable to XML External Entity (XXE) injection.

XXE injection can be exploited to exfiltrate local file content, or perform Server Side Request Forgery (SSRF) to access infrastructure adjacent to the vulnerable application.

PoC

import org.cyclonedx.parsers.XmlParser;

class Poc {

    public static void main(String[] args) {
        // Will throw org.cyclonedx.exception.ParseException: java.net.ConnectException: Connection refused
        new XmlParser().parse("""
            <?xml version="1.0" encoding="UTF-8"?>
            <!DOCTYPE bom [<!ENTITY % sp SYSTEM "https://localhost:1010/does-not-exist/file.dtd"> %sp;]>
            <bom xmlns="http://cyclonedx.org/schema/bom/1.5"/>
            """.getBytes());
    }

}

Patches

The vulnerability has been fixed in cyclonedx-core-java version 0.9.4.

Workarounds

If feasible, applications can reject XML documents before handing them to cyclonedx-core-java for parsing. This may be an option if incoming CycloneDX BOMs are known to be in JSON format.

References

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.cyclonedx:cyclonedx-core-java"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1.0"
            },
            {
              "fixed": "9.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-38374"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-24T20:44:48Z",
    "nvd_published_at": "2024-06-28T18:15:04Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nBefore deserializing CycloneDX Bill of Materials in XML format, _cyclonedx-core-java_ leverages XPath expressions to determine the schema version of the BOM. The `DocumentBuilderFactory` used to evaluate XPath expressions was not configured securely, making the library vulnerable to XML External Entity (XXE) injection.\n\nXXE injection can be exploited to exfiltrate local file content, or perform Server Side Request Forgery (SSRF) to access infrastructure adjacent to the vulnerable application.\n\n### PoC\n\n```java\nimport org.cyclonedx.parsers.XmlParser;\n\nclass Poc {\n\n    public static void main(String[] args) {\n        // Will throw org.cyclonedx.exception.ParseException: java.net.ConnectException: Connection refused\n        new XmlParser().parse(\"\"\"\n            \u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n            \u003c!DOCTYPE bom [\u003c!ENTITY % sp SYSTEM \"https://localhost:1010/does-not-exist/file.dtd\"\u003e %sp;]\u003e\n            \u003cbom xmlns=\"http://cyclonedx.org/schema/bom/1.5\"/\u003e\n            \"\"\".getBytes());\n    }\n\n}\n```\n\n### Patches\n\nThe vulnerability has been fixed in _cyclonedx-core-java_ version 0.9.4.\n\n### Workarounds\n\nIf feasible, applications can reject XML documents before handing them to _cyclonedx-core-java_ for parsing.\nThis may be an option if incoming CycloneDX BOMs are known to be in JSON format.\n\n### References\n\n* Issue was fixed via \u003chttps://github.com/CycloneDX/cyclonedx-core-java/pull/434\u003e\n* Issue was introduced via \u003chttps://github.com/CycloneDX/cyclonedx-core-java/commit/162aa594f347b3f612fe0a45071693c3cd398ce9\u003e\n* \u003chttps://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing\u003e\n* \u003chttps://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xpathexpression\u003e\n",
  "id": "GHSA-683x-4444-jxh8",
  "modified": "2024-06-28T18:58:48Z",
  "published": "2024-06-24T20:44:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/CycloneDX/cyclonedx-core-java/security/advisories/GHSA-683x-4444-jxh8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38374"
    },
    {
      "type": "WEB",
      "url": "https://github.com/CycloneDX/cyclonedx-core-java/pull/434"
    },
    {
      "type": "WEB",
      "url": "https://github.com/CycloneDX/cyclonedx-core-java/pull/434/commits/ab0bc9c530d24f737970dbd0287d1190b129853d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/CycloneDX/cyclonedx-core-java"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Restriction of XML External Entity Reference in org.cyclonedx:cyclonedx-core-java"
}

GHSA-685X-Q7J3-8C52

Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-05-13 01:36
VLAI
Details

The Java implementation of AMF3 deserializers used by Flamingo amf-serializer by Exadel, version 2.2.0, allows external entity references (XXEs) from XML documents embedded within AMF3 messages. If the XML parsing is handled incorrectly it could potentially expose sensitive data on the server, denial of service, or server side request forgery.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-3206"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-06-11T17:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "The Java implementation of AMF3 deserializers used by Flamingo amf-serializer by Exadel, version 2.2.0, allows external entity references (XXEs) from XML documents embedded within AMF3 messages. If the XML parsing is handled incorrectly it could potentially expose sensitive data on the server, denial of service, or server side request forgery.",
  "id": "GHSA-685x-q7j3-8c52",
  "modified": "2022-05-13T01:36:43Z",
  "published": "2022-05-13T01:36:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-3206"
    },
    {
      "type": "WEB",
      "url": "https://codewhitesec.blogspot.com/2017/04/amf.html"
    },
    {
      "type": "WEB",
      "url": "https://www.kb.cert.org/vuls/id/307983"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/97380"
    },
    {
      "type": "WEB",
      "url": "http://www.securityweek.com/flaws-java-amf-libraries-allow-remote-code-execution"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.