Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1694 vulnerabilities reference this CWE, most recent first.

GHSA-G7W4-R4MG-GVHX

Vulnerability from github – Published: 2022-05-24 17:12 – Updated: 2022-12-22 14:05
VLAI
Summary
XXE vulnerability in Jenkins RapidDeploy Plugin
Details

RapidDeploy Plugin 4.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows a user able to control the input files for the 'RapidDeploy deployment package build' build or post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks.

RapidDeploy Plugin 4.2.1 disables external entity resolution for its XML parser.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:rapiddeploy-jenkins"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-2171"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-22T14:05:19Z",
    "nvd_published_at": "2020-03-25T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "RapidDeploy Plugin 4.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.\n\nThis allows a user able to control the input files for the \u0027RapidDeploy deployment package build\u0027 build or post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks.\n\nRapidDeploy Plugin 4.2.1 disables external entity resolution for its XML parser.",
  "id": "GHSA-g7w4-r4mg-gvhx",
  "modified": "2022-12-22T14:05:19Z",
  "published": "2022-05-24T17:12:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2171"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/rapiddeploy-plugin"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1677"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/03/25/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XXE vulnerability in Jenkins RapidDeploy Plugin"
}

GHSA-G822-3V64-2VPM

Vulnerability from github – Published: 2023-03-21 15:30 – Updated: 2023-03-24 21:30
VLAI
Details

IBM Aspera Faspex 4.4.2 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote authenticated attacker could exploit this vulnerability to execute arbitrary commands. IBM X-Force ID: 249845.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-27874"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-21T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Aspera Faspex 4.4.2 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote authenticated attacker could exploit this vulnerability to execute arbitrary commands. IBM X-Force ID: 249845.",
  "id": "GHSA-g822-3v64-2vpm",
  "modified": "2023-03-24T21:30:54Z",
  "published": "2023-03-21T15:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27874"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/249845"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6964694"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G83J-RJQ4-8487

Vulnerability from github – Published: 2022-09-14 00:00 – Updated: 2022-09-18 00:00
VLAI
Details

Safe Software FME Server v2022.0.1.1 and below was discovered to contain a XML External Entity (XXE) vulnerability which allows authenticated attackers to perform data exfiltration or Server-Side Request Forgery (SSRF) attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-38342"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-13T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Safe Software FME Server v2022.0.1.1 and below was discovered to contain a XML External Entity (XXE) vulnerability which allows authenticated attackers to perform data exfiltration or Server-Side Request Forgery (SSRF) attacks.",
  "id": "GHSA-g83j-rjq4-8487",
  "modified": "2022-09-18T00:00:35Z",
  "published": "2022-09-14T00:00:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38342"
    },
    {
      "type": "WEB",
      "url": "https://community.safe.com/s/article/Known-Issue-FME-Server-XXE-vulnerability-via-adding-a-repository-item"
    },
    {
      "type": "WEB",
      "url": "https://community.safe.com/s/article/Known-Issue-FME-Server-vulnerability-with-arbitrary-path-traversal-and-file-upload"
    },
    {
      "type": "WEB",
      "url": "https://www.cycura.com/blog/safe-software-inc-fme-server-vulnerability-disclosure"
    },
    {
      "type": "WEB",
      "url": "http://fme.com"
    },
    {
      "type": "WEB",
      "url": "http://safe.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G848-PPPP-VG6F

Vulnerability from github – Published: 2022-11-23 18:30 – Updated: 2025-04-28 21:30
VLAI
Details

An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-40304"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415",
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-23T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked.",
  "id": "GHSA-g848-pppp-vg6f",
  "modified": "2025-04-28T21:30:38Z",
  "published": "2022-11-23T18:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40304"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.gnome.org/GNOME/libxml2/-/commit/1b41ec4e9433b05bb0376be4725804c54ef1d80b"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.gnome.org/GNOME/libxml2/-/tags"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.gnome.org/GNOME/libxml2/-/tags/v2.10.3"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20221209-0003"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT213531"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT213533"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT213534"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT213535"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT213536"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2022/Dec/21"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2022/Dec/24"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2022/Dec/25"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2022/Dec/26"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2022/Dec/27"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G89X-G6H5-52VM

Vulnerability from github – Published: 2022-04-14 00:00 – Updated: 2022-04-22 00:01
VLAI
Details

A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could result in information disclosure when opening a malicious solution file provided by an attacker with SCADAPack Workbench. This could be exploited to pass data from local files to a remote system controlled by an attacker. Affected Product: SCADAPack Workbench (6.6.8a and prior)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-0221"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-13T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could result in information disclosure when opening a malicious solution file provided by an attacker with SCADAPack Workbench. This could be exploited to pass data from local files to a remote system controlled by an attacker. Affected Product: SCADAPack Workbench (6.6.8a and prior)",
  "id": "GHSA-g89x-g6h5-52vm",
  "modified": "2022-04-22T00:01:08Z",
  "published": "2022-04-14T00:00:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0221"
    },
    {
      "type": "WEB",
      "url": "https://www.se.com/ww/en/download/document/SEVD-2022-087-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G8GP-8CC3-6F2W

Vulnerability from github – Published: 2022-05-17 02:20 – Updated: 2022-05-17 02:20
VLAI
Details

XML external entity (XXE) processing vulnerability in Trend Micro Control Manager 6.0, if exploited, could lead to information disclosure. Formerly ZDI-CAN-4706.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-11390"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-08-02T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "XML external entity (XXE) processing vulnerability in Trend Micro Control Manager 6.0, if exploited, could lead to information disclosure. Formerly ZDI-CAN-4706.",
  "id": "GHSA-g8gp-8cc3-6f2w",
  "modified": "2022-05-17T02:20:12Z",
  "published": "2022-05-17T02:20:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11390"
    },
    {
      "type": "WEB",
      "url": "https://success.trendmicro.com/solution/1117722"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/100078"
    },
    {
      "type": "WEB",
      "url": "http://www.zerodayinitiative.com/advisories/ZDI-17-501"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G939-V35M-P2V6

Vulnerability from github – Published: 2022-07-21 00:00 – Updated: 2022-07-21 00:00
VLAI
Details

Digiwin BPM has a XML External Entity Injection (XXE) vulnerability due to insufficient validation for user input. An unauthenticated remote attacker can perform XML injection attack to access arbitrary system files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-32458"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-20T02:15:00Z",
    "severity": "HIGH"
  },
  "details": "Digiwin BPM has a XML External Entity Injection (XXE) vulnerability due to insufficient validation for user input. An unauthenticated remote attacker can perform XML injection attack to access arbitrary system files.",
  "id": "GHSA-g939-v35m-p2v6",
  "modified": "2022-07-21T00:00:34Z",
  "published": "2022-07-21T00:00:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32458"
    },
    {
      "type": "WEB",
      "url": "https://www.chtsecurity.com/news/09757883-fea6-4aff-9e22-8ae8c4f8f7bb"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/tw/cp-132-6288-49e01-1.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G939-WPMQ-66Q4

Vulnerability from github – Published: 2022-05-14 01:53 – Updated: 2022-05-14 01:53
VLAI
Details

FsPro Labs Event Log Explorer 4.6.1.2115 has ".elx" FileType XML External Entity Injection.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-16252"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-09-05T21:29:00Z",
    "severity": "LOW"
  },
  "details": "FsPro Labs Event Log Explorer 4.6.1.2115 has \".elx\" FileType XML External Entity Injection.",
  "id": "GHSA-g939-wpmq-66q4",
  "modified": "2022-05-14T01:53:17Z",
  "published": "2022-05-14T01:53:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16252"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/45319"
    },
    {
      "type": "WEB",
      "url": "http://hyp3rlinx.altervista.org/advisories/FSPRO-LABS-EVENT-LOG-EXPLORER-XML-INJECTION-INFO-DISCLOSURE.txt"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/149195/FsPro-Labs-Event-Log-Explorer-4.6.1.2115-XML-Injection.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G945-CXXH-JXH9

Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2022-05-24 19:03
VLAI
Details

IBM WebSphere Application Server 8.0, 8.5, 9.0, and Liberty Java Batch is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 197793.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-20492"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-26T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "IBM WebSphere Application Server 8.0, 8.5, 9.0, and Liberty Java Batch is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 197793.",
  "id": "GHSA-g945-cxxh-jxh9",
  "modified": "2022-05-24T19:03:20Z",
  "published": "2022-05-24T19:03:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20492"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/197793"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6456017"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-G9HG-X9C9-7XGR

Vulnerability from github – Published: 2022-05-24 17:35 – Updated: 2023-10-27 13:17
VLAI
Summary
XXE vulnerability in Jenkins CVS Plugin
Details

Jenkins CVS Plugin 2.16 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Jenkins CVS Plugin 2.17 disables external entity resolution for its XML parser.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.16"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:cvs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-2324"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-16T22:56:27Z",
    "nvd_published_at": "2020-12-03T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "Jenkins CVS Plugin 2.16 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.\n\nThis allows attackers able to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.\n\nJenkins CVS Plugin 2.17 disables external entity resolution for its XML parser.",
  "id": "GHSA-g9hg-x9c9-7xgr",
  "modified": "2023-10-27T13:17:26Z",
  "published": "2022-05-24T17:35:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2324"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/cvs-plugin/commit/ff121443b282c8dbd6a5ee4841f152f78e4a5954"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/cvs-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2020-12-03/#SECURITY-2146"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/12/03/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XXE vulnerability in Jenkins CVS Plugin"
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.