CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1694 vulnerabilities reference this CWE, most recent first.
GHSA-FRWM-8R3X-CRR9
Vulnerability from github – Published: 2022-05-14 01:34 – Updated: 2022-05-14 01:34Logisim Evolution version 2.14.3 and earlier contains an XML External Entity (XXE) vulnerability in Circuit file loading functionality (loadXmlFrom in src/com/cburch/logisim/file/XmlReader.java) that can result in information leak, possible RCE depending on system configuration. This attack appears to be exploitable via the victim opening a specially crafted circuit file. This vulnerability appears to have been fixed in 2.14.4.
{
"affected": [],
"aliases": [
"CVE-2018-1000889"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-28T16:29:00Z",
"severity": "HIGH"
},
"details": "Logisim Evolution version 2.14.3 and earlier contains an XML External Entity (XXE) vulnerability in Circuit file loading functionality (loadXmlFrom in src/com/cburch/logisim/file/XmlReader.java) that can result in information leak, possible RCE depending on system configuration. This attack appears to be exploitable via the victim opening a specially crafted circuit file. This vulnerability appears to have been fixed in 2.14.4.",
"id": "GHSA-frwm-8r3x-crr9",
"modified": "2022-05-14T01:34:20Z",
"published": "2022-05-14T01:34:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000889"
},
{
"type": "WEB",
"url": "https://github.com/reds-heig/logisim-evolution/pull/139"
},
{
"type": "WEB",
"url": "https://www.kvakil.me/posts/logisim"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FRX6-QWHW-G358
Vulnerability from github – Published: 2025-01-07 18:30 – Updated: 2025-01-09 18:32An issue was discovered in Elspec G5 digital fault recorder version 1.2.1.12 and earlier. An XML External Entity (XXE) vulnerability may allow an attacker to cause a Denial of Service (DoS) via a crafted XML payload.
{
"affected": [],
"aliases": [
"CVE-2024-46602"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-07T16:15:34Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Elspec G5 digital fault recorder version 1.2.1.12 and earlier. An XML External Entity (XXE) vulnerability may allow an attacker to cause a Denial of Service (DoS) via a crafted XML payload.",
"id": "GHSA-frx6-qwhw-g358",
"modified": "2025-01-09T18:32:13Z",
"published": "2025-01-07T18:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46602"
},
{
"type": "WEB",
"url": "https://www.elspec-ltd.com/support/security-advisories."
},
{
"type": "WEB",
"url": "http://elspec.com"
},
{
"type": "WEB",
"url": "http://g5.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FV3H-9947-8CPJ
Vulnerability from github – Published: 2022-05-24 19:01 – Updated: 2022-05-24 19:01A vulnerability in the web-based management interface of Cisco BroadWorks Messaging Server Software could allow an authenticated, remote attacker to access sensitive information or cause a partial denial of service (DoS) condition on an affected system. This vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by uploading a crafted XML file that contains references to external entities. A successful exploit could allow the attacker to retrieve files from the local system, resulting in the disclosure of sensitive information, or cause the application to consume available resources, resulting in a partial DoS condition on an affected system. There are workarounds that address this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2021-1530"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-06T13:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in the web-based management interface of Cisco BroadWorks Messaging Server Software could allow an authenticated, remote attacker to access sensitive information or cause a partial denial of service (DoS) condition on an affected system. This vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by uploading a crafted XML file that contains references to external entities. A successful exploit could allow the attacker to retrieve files from the local system, resulting in the disclosure of sensitive information, or cause the application to consume available resources, resulting in a partial DoS condition on an affected system. There are workarounds that address this vulnerability.",
"id": "GHSA-fv3h-9947-8cpj",
"modified": "2022-05-24T19:01:33Z",
"published": "2022-05-24T19:01:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1530"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bwms-xxe-uSLrZgKs"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-FVFQ-Q238-J7J3
Vulnerability from github – Published: 2025-11-05 18:31 – Updated: 2025-11-06 15:12An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The application parses user-supplied XML without applying sufficient restrictions, allowing resolution of external entities.
A successful attack could enable a remote, unauthenticated attacker to read sensitive files from the server's filesystem or perform denial-of-service (DoS) attacks that render affected services unavailable.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c 4.7.259"
},
"package": {
"ecosystem": "Maven",
"name": "org.wso2.carbon.mediation:org.wso2.carbon.localentry"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-10713"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-06T15:12:30Z",
"nvd_published_at": "2025-11-05T18:15:32Z",
"severity": "MODERATE"
},
"details": "An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The application parses user-supplied XML without applying sufficient restrictions, allowing resolution of external entities.\n\nA successful attack could enable a remote, unauthenticated attacker to read sensitive files from the server\u0027s filesystem or perform denial-of-service (DoS) attacks that render affected services unavailable.",
"id": "GHSA-fvfq-q238-j7j3",
"modified": "2025-11-06T15:12:30Z",
"published": "2025-11-05T18:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10713"
},
{
"type": "WEB",
"url": "https://github.com/wso2/carbon-mediation/pull/1784"
},
{
"type": "WEB",
"url": "https://github.com/wso2/carbon-mediation/commit/b995b2f1db96a4697791f0202cc8713f15640fd5"
},
{
"type": "PACKAGE",
"url": "https://github.com/wso2/carbon-mediation"
},
{
"type": "WEB",
"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4505"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "WSO2 Carbon Mediation vulnerable to XML External Entity (XXE) attacks"
}
GHSA-FX6G-Q2XM-RMCH
Vulnerability from github – Published: 2026-03-30 21:31 – Updated: 2026-03-30 21:31Grav CMS v1.7.x and before is vulnerable to XML External Entity (XXE) through the SVG file upload functionality in the admin panel and File Manager plugin.
{
"affected": [],
"aliases": [
"CVE-2026-29924"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-30T19:16:24Z",
"severity": "HIGH"
},
"details": "Grav CMS v1.7.x and before is vulnerable to XML External Entity (XXE) through the SVG file upload functionality in the admin panel and File Manager plugin.",
"id": "GHSA-fx6g-q2xm-rmch",
"modified": "2026-03-30T21:31:03Z",
"published": "2026-03-30T21:31:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29924"
},
{
"type": "WEB",
"url": "https://github.com/getgrav/grav"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-FXHP-WRW9-3R97
Vulnerability from github – Published: 2022-03-18 17:46 – Updated: 2022-03-18 17:46An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access. This issue is fixed in Apache Nutch 1.18.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.nutch:nutch"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-23901"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-06T19:54:36Z",
"nvd_published_at": "2021-01-25T10:16:00Z",
"severity": "CRITICAL"
},
"details": "An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions \u003c 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application\u0027s processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access. This issue is fixed in Apache Nutch 1.18.",
"id": "GHSA-fxhp-wrw9-3r97",
"modified": "2022-03-18T17:46:29Z",
"published": "2022-03-18T17:46:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23901"
},
{
"type": "WEB",
"url": "https://github.com/apache/nutch/pull/563"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/NUTCH-2841"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r090321840b44cc91086c4e317bf2baffa270749dde6c1273b6567f7c%40%3Cdev.nutch.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r5e2f7737b42c73a3325f3c2c8cdee1ec27631b3a0e144104d84d70e6@%3Cannounce.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r7ddfd680aa7ea001ca8da63bb23e3f8caa095a8b4f2261e46bade5c7@%3Cdev.nutch.apache.org%3E"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210513-0003"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "XML external entity (XXE) injection in Apache Nutch"
}
GHSA-G24F-MGC3-JWWC
Vulnerability from github – Published: 2026-04-15 19:42 – Updated: 2026-04-27 16:22Summary
The Velbus asset import path parses attacker-controlled XML without explicit XXE hardening. An authenticated user who can call the import endpoint may trigger XML external entity processing, which can lead to server-side file disclosure and SSRF. The target file must be less than 1023 characters.
Details
Velbus import uses DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(...) on untrusted XML input, without explicit safeguards to disable DTD/external entities.
```154:165:agent/src/main/java/org/openremote/agent/protocol/velbus/AbstractVelbusProtocol.java @Override public Future startAssetImport(byte[] fileData, Consumer assetConsumer) {
return executorService.submit(() -> {
Document xmlDoc;
try {
String xmlStr = new String(fileData, StandardCharsets.UTF_8);
LOG.info("Parsing VELBUS project file");
xmlDoc = DocumentBuilderFactory
.newInstance()
.newDocumentBuilder()
.parse(new InputSource(new StringReader(xmlStr)));
Expanded `Caption` content is propagated into created asset names:
```193:198:agent/src/main/java/org/openremote/agent/protocol/velbus/AbstractVelbusProtocol.java
String name = module.getElementsByTagName("Caption").item(0).getTextContent();
name = isNullOrEmpty(name) ? deviceType.toString() : name;
// TODO: Use device specific asset types
Asset<?> device = new ThingAsset(name);
PoC
- Log in to a realm with a user that can call Velbus asset import.
- Create/select a Velbus TCP Agent in that same realm.
- Send
POST /api/{realm}/agent/assetImport/{agentId}with a Velbus project XML payload and compare behavior against a baseline import file. - Save the below code as a
xxe.xmland upload toSetupunderhttps://localhost/manager/?realm=<YOUR_REALM>#/assets/false/<ASSET_ID>. Chnage thefile:///etc/passwdto another file if yourpasswdis longer than 1023 characters.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE velbus [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<Project>
<Module type="VMB1RY" address="01" build="00" serial="LAB">
<Caption>&xxe;</Caption>
</Module>
</Project>
As long as the file content is under 1023 characters, the exploit will succeed.
If the file content reaches the limit, an error is thrown.
Impact
- Type: XML External Entity (XXE)
- Affected: Deployments exposing Velbus import to authenticated users with import access
- Risk: limited local file disclosure (as long as the file is under 1023 characters) from the Manager runtime, and SSRF.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.21.0"
},
"package": {
"ecosystem": "Maven",
"name": "io.openremote:openremote-manager"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.22.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-40882"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-15T19:42:23Z",
"nvd_published_at": "2026-04-22T21:17:08Z",
"severity": "HIGH"
},
"details": "### Summary\nThe Velbus asset import path parses attacker-controlled XML without explicit XXE hardening. An authenticated user who can call the import endpoint may trigger XML external entity processing, which can lead to server-side file disclosure and SSRF. The target file must be less than 1023 characters.\n\n### Details\nVelbus import uses `DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(...)` on untrusted XML input, without explicit safeguards to disable DTD/external entities.\n\n```154:165:agent/src/main/java/org/openremote/agent/protocol/velbus/AbstractVelbusProtocol.java\n @Override\n public Future\u003cVoid\u003e startAssetImport(byte[] fileData, Consumer\u003cAssetTreeNode[]\u003e assetConsumer) {\n\n return executorService.submit(() -\u003e {\n Document xmlDoc;\n try {\n String xmlStr = new String(fileData, StandardCharsets.UTF_8);\n LOG.info(\"Parsing VELBUS project file\");\n\n xmlDoc = DocumentBuilderFactory\n .newInstance()\n .newDocumentBuilder()\n .parse(new InputSource(new StringReader(xmlStr)));\n```\n\nExpanded `Caption` content is propagated into created asset names:\n\n```193:198:agent/src/main/java/org/openremote/agent/protocol/velbus/AbstractVelbusProtocol.java\n String name = module.getElementsByTagName(\"Caption\").item(0).getTextContent();\n name = isNullOrEmpty(name) ? deviceType.toString() : name;\n\n // TODO: Use device specific asset types\n Asset\u003c?\u003e device = new ThingAsset(name);\n```\n\n### PoC\n1. Log in to a realm with a user that can call Velbus asset import.\n2. Create/select a Velbus TCP Agent in that same realm.\n3. Send `POST /api/{realm}/agent/assetImport/{agentId}` with a Velbus project XML payload and compare behavior against a baseline import file.\n3. Save the below code as a `xxe.xml` and upload to `Setup` under `https://localhost/manager/?realm=\u003cYOUR_REALM\u003e#/assets/false/\u003cASSET_ID\u003e`. Chnage the `file:///etc/passwd` to another file if your `passwd` is longer than 1023 characters.\n```xml\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n\u003c!DOCTYPE velbus [\n \u003c!ENTITY xxe SYSTEM \"file:///etc/passwd\"\u003e\n]\u003e\n\u003cProject\u003e\n \u003cModule type=\"VMB1RY\" address=\"01\" build=\"00\" serial=\"LAB\"\u003e\n \u003cCaption\u003e\u0026xxe;\u003c/Caption\u003e\n \u003c/Module\u003e\n\u003c/Project\u003e\n```\n\nAs long as the file content is under 1023 characters, the exploit will succeed.\n\u003cimg width=\"1200\" height=\"662\" alt=\"image\" src=\"https://github.com/user-attachments/assets/213f063d-98b6-4717-b98c-f4255952026b\" /\u003e\n\nIf the file content reaches the limit, an error is thrown.\n\u003cimg width=\"1200\" height=\"630\" alt=\"image\" src=\"https://github.com/user-attachments/assets/ee177a6b-2cb2-48ae-94df-c994ecb41429\" /\u003e\n\n\n### Impact\n- **Type:** XML External Entity (XXE)\n- **Affected:** Deployments exposing Velbus import to authenticated users with import access\n- **Risk:** limited local file disclosure (as long as the file is under 1023 characters) from the Manager runtime, and SSRF.",
"id": "GHSA-g24f-mgc3-jwwc",
"modified": "2026-04-27T16:22:53Z",
"published": "2026-04-15T19:42:23Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openremote/openremote/security/advisories/GHSA-g24f-mgc3-jwwc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40882"
},
{
"type": "PACKAGE",
"url": "https://github.com/openremote/openremote"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "OpenRemote has XXE in Velbus Asset Import"
}
GHSA-G2VX-F8P2-FQ5G
Vulnerability from github – Published: 2024-11-18 18:30 – Updated: 2024-11-18 18:30A vulnerability in the web UI of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to gain read and write access to information that is stored on an affected system. The vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by persuading a user to import a crafted XML file with malicious entries. A successful exploit could allow the attacker to read and write files within the affected application.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2020-26066"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-18T17:15:09Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the web UI of Cisco\u0026nbsp;SD-WAN vManage Software could allow an authenticated, remote attacker to gain read and write access to information that is stored on an affected system.\nThe vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by persuading a user to import a crafted XML file with malicious entries. A successful exploit could allow the attacker to read and write files within the affected application.Cisco\u0026nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.",
"id": "GHSA-g2vx-f8p2-fq5g",
"modified": "2024-11-18T18:30:59Z",
"published": "2024-11-18T18:30:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26066"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vmanx3-vrZbOqqD"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G33J-XWRP-HPFV
Vulnerability from github – Published: 2022-05-24 17:43 – Updated: 2022-05-24 17:43SRS Policy Manager 6.X is affected by an XML External Entity Injection (XXE) vulnerability due to a misconfigured XML parser that processes user-supplied DTD input without sufficient validation. A remote unauthenticated attacker can potentially exploit this vulnerability to read system files as a non-root user and may be able to temporarily disrupt the ESRS service.
{
"affected": [],
"aliases": [
"CVE-2021-21517"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-01T21:15:00Z",
"severity": "HIGH"
},
"details": "SRS Policy Manager 6.X is affected by an XML External Entity Injection (XXE) vulnerability due to a misconfigured XML parser that processes user-supplied DTD input without sufficient validation. A remote unauthenticated attacker can potentially exploit this vulnerability to read system files as a non-root user and may be able to temporarily disrupt the ESRS service.",
"id": "GHSA-g33j-xwrp-hpfv",
"modified": "2022-05-24T17:43:24Z",
"published": "2022-05-24T17:43:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21517"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000183576/dsa-2021-045-dell-emc-srs-policy-manager-security-update-for-external-entity-injection-vulnerability"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-G3GP-3RFF-X6QF
Vulnerability from github – Published: 2022-10-28 12:00 – Updated: 2022-10-31 19:00VMware Cloud Foundation (NSX-V) contains an XML External Entity (XXE) vulnerability. On VCF 3.x instances with NSX-V deployed, this may allow a user to exploit this issue leading to a denial-of-service condition or unintended information disclosure.
{
"affected": [],
"aliases": [
"CVE-2022-31678"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-28T02:15:00Z",
"severity": "CRITICAL"
},
"details": "VMware Cloud Foundation (NSX-V) contains an XML External Entity (XXE) vulnerability. On VCF 3.x instances with NSX-V deployed, this may allow a user to exploit this issue leading to a denial-of-service condition or unintended information disclosure.",
"id": "GHSA-g3gp-3rff-x6qf",
"modified": "2022-10-31T19:00:26Z",
"published": "2022-10-28T12:00:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31678"
},
{
"type": "WEB",
"url": "https://www.vmware.com/security/advisories/VMSA-2022-0027.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.