CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1694 vulnerabilities reference this CWE, most recent first.
GHSA-G7W4-R4MG-GVHX
Vulnerability from github – Published: 2022-05-24 17:12 – Updated: 2022-12-22 14:05RapidDeploy Plugin 4.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows a user able to control the input files for the 'RapidDeploy deployment package build' build or post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks.
RapidDeploy Plugin 4.2.1 disables external entity resolution for its XML parser.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:rapiddeploy-jenkins"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-2171"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-22T14:05:19Z",
"nvd_published_at": "2020-03-25T17:15:00Z",
"severity": "HIGH"
},
"details": "RapidDeploy Plugin 4.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.\n\nThis allows a user able to control the input files for the \u0027RapidDeploy deployment package build\u0027 build or post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks.\n\nRapidDeploy Plugin 4.2.1 disables external entity resolution for its XML parser.",
"id": "GHSA-g7w4-r4mg-gvhx",
"modified": "2022-12-22T14:05:19Z",
"published": "2022-05-24T17:12:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2171"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/rapiddeploy-plugin"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1677"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/03/25/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "XXE vulnerability in Jenkins RapidDeploy Plugin"
}
GHSA-G822-3V64-2VPM
Vulnerability from github – Published: 2023-03-21 15:30 – Updated: 2023-03-24 21:30IBM Aspera Faspex 4.4.2 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote authenticated attacker could exploit this vulnerability to execute arbitrary commands. IBM X-Force ID: 249845.
{
"affected": [],
"aliases": [
"CVE-2023-27874"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-21T15:15:00Z",
"severity": "HIGH"
},
"details": "IBM Aspera Faspex 4.4.2 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote authenticated attacker could exploit this vulnerability to execute arbitrary commands. IBM X-Force ID: 249845.",
"id": "GHSA-g822-3v64-2vpm",
"modified": "2023-03-24T21:30:54Z",
"published": "2023-03-21T15:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27874"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/249845"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6964694"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G83J-RJQ4-8487
Vulnerability from github – Published: 2022-09-14 00:00 – Updated: 2022-09-18 00:00Safe Software FME Server v2022.0.1.1 and below was discovered to contain a XML External Entity (XXE) vulnerability which allows authenticated attackers to perform data exfiltration or Server-Side Request Forgery (SSRF) attacks.
{
"affected": [],
"aliases": [
"CVE-2022-38342"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-13T20:15:00Z",
"severity": "MODERATE"
},
"details": "Safe Software FME Server v2022.0.1.1 and below was discovered to contain a XML External Entity (XXE) vulnerability which allows authenticated attackers to perform data exfiltration or Server-Side Request Forgery (SSRF) attacks.",
"id": "GHSA-g83j-rjq4-8487",
"modified": "2022-09-18T00:00:35Z",
"published": "2022-09-14T00:00:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38342"
},
{
"type": "WEB",
"url": "https://community.safe.com/s/article/Known-Issue-FME-Server-XXE-vulnerability-via-adding-a-repository-item"
},
{
"type": "WEB",
"url": "https://community.safe.com/s/article/Known-Issue-FME-Server-vulnerability-with-arbitrary-path-traversal-and-file-upload"
},
{
"type": "WEB",
"url": "https://www.cycura.com/blog/safe-software-inc-fme-server-vulnerability-disclosure"
},
{
"type": "WEB",
"url": "http://fme.com"
},
{
"type": "WEB",
"url": "http://safe.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G848-PPPP-VG6F
Vulnerability from github – Published: 2022-11-23 18:30 – Updated: 2025-04-28 21:30An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked.
{
"affected": [],
"aliases": [
"CVE-2022-40304"
],
"database_specific": {
"cwe_ids": [
"CWE-415",
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-23T18:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked.",
"id": "GHSA-g848-pppp-vg6f",
"modified": "2025-04-28T21:30:38Z",
"published": "2022-11-23T18:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40304"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/libxml2/-/commit/1b41ec4e9433b05bb0376be4725804c54ef1d80b"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/libxml2/-/tags"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/libxml2/-/tags/v2.10.3"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20221209-0003"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT213531"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT213533"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT213534"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT213535"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT213536"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2022/Dec/21"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2022/Dec/24"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2022/Dec/25"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2022/Dec/26"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2022/Dec/27"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G89X-G6H5-52VM
Vulnerability from github – Published: 2022-04-14 00:00 – Updated: 2022-04-22 00:01A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could result in information disclosure when opening a malicious solution file provided by an attacker with SCADAPack Workbench. This could be exploited to pass data from local files to a remote system controlled by an attacker. Affected Product: SCADAPack Workbench (6.6.8a and prior)
{
"affected": [],
"aliases": [
"CVE-2022-0221"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-13T16:15:00Z",
"severity": "MODERATE"
},
"details": "A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could result in information disclosure when opening a malicious solution file provided by an attacker with SCADAPack Workbench. This could be exploited to pass data from local files to a remote system controlled by an attacker. Affected Product: SCADAPack Workbench (6.6.8a and prior)",
"id": "GHSA-g89x-g6h5-52vm",
"modified": "2022-04-22T00:01:08Z",
"published": "2022-04-14T00:00:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0221"
},
{
"type": "WEB",
"url": "https://www.se.com/ww/en/download/document/SEVD-2022-087-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G8GP-8CC3-6F2W
Vulnerability from github – Published: 2022-05-17 02:20 – Updated: 2022-05-17 02:20XML external entity (XXE) processing vulnerability in Trend Micro Control Manager 6.0, if exploited, could lead to information disclosure. Formerly ZDI-CAN-4706.
{
"affected": [],
"aliases": [
"CVE-2017-11390"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-08-02T21:29:00Z",
"severity": "HIGH"
},
"details": "XML external entity (XXE) processing vulnerability in Trend Micro Control Manager 6.0, if exploited, could lead to information disclosure. Formerly ZDI-CAN-4706.",
"id": "GHSA-g8gp-8cc3-6f2w",
"modified": "2022-05-17T02:20:12Z",
"published": "2022-05-17T02:20:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11390"
},
{
"type": "WEB",
"url": "https://success.trendmicro.com/solution/1117722"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/100078"
},
{
"type": "WEB",
"url": "http://www.zerodayinitiative.com/advisories/ZDI-17-501"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G939-V35M-P2V6
Vulnerability from github – Published: 2022-07-21 00:00 – Updated: 2022-07-21 00:00Digiwin BPM has a XML External Entity Injection (XXE) vulnerability due to insufficient validation for user input. An unauthenticated remote attacker can perform XML injection attack to access arbitrary system files.
{
"affected": [],
"aliases": [
"CVE-2022-32458"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-20T02:15:00Z",
"severity": "HIGH"
},
"details": "Digiwin BPM has a XML External Entity Injection (XXE) vulnerability due to insufficient validation for user input. An unauthenticated remote attacker can perform XML injection attack to access arbitrary system files.",
"id": "GHSA-g939-v35m-p2v6",
"modified": "2022-07-21T00:00:34Z",
"published": "2022-07-21T00:00:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32458"
},
{
"type": "WEB",
"url": "https://www.chtsecurity.com/news/09757883-fea6-4aff-9e22-8ae8c4f8f7bb"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-6288-49e01-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G939-WPMQ-66Q4
Vulnerability from github – Published: 2022-05-14 01:53 – Updated: 2022-05-14 01:53FsPro Labs Event Log Explorer 4.6.1.2115 has ".elx" FileType XML External Entity Injection.
{
"affected": [],
"aliases": [
"CVE-2018-16252"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-09-05T21:29:00Z",
"severity": "LOW"
},
"details": "FsPro Labs Event Log Explorer 4.6.1.2115 has \".elx\" FileType XML External Entity Injection.",
"id": "GHSA-g939-wpmq-66q4",
"modified": "2022-05-14T01:53:17Z",
"published": "2022-05-14T01:53:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16252"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/45319"
},
{
"type": "WEB",
"url": "http://hyp3rlinx.altervista.org/advisories/FSPRO-LABS-EVENT-LOG-EXPLORER-XML-INJECTION-INFO-DISCLOSURE.txt"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/149195/FsPro-Labs-Event-Log-Explorer-4.6.1.2115-XML-Injection.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G945-CXXH-JXH9
Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2022-05-24 19:03IBM WebSphere Application Server 8.0, 8.5, 9.0, and Liberty Java Batch is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 197793.
{
"affected": [],
"aliases": [
"CVE-2021-20492"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-26T17:15:00Z",
"severity": "HIGH"
},
"details": "IBM WebSphere Application Server 8.0, 8.5, 9.0, and Liberty Java Batch is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 197793.",
"id": "GHSA-g945-cxxh-jxh9",
"modified": "2022-05-24T19:03:20Z",
"published": "2022-05-24T19:03:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20492"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/197793"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6456017"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-G9HG-X9C9-7XGR
Vulnerability from github – Published: 2022-05-24 17:35 – Updated: 2023-10-27 13:17Jenkins CVS Plugin 2.16 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers able to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
Jenkins CVS Plugin 2.17 disables external entity resolution for its XML parser.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.16"
},
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:cvs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.17"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-2324"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-16T22:56:27Z",
"nvd_published_at": "2020-12-03T16:15:00Z",
"severity": "HIGH"
},
"details": "Jenkins CVS Plugin 2.16 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.\n\nThis allows attackers able to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.\n\nJenkins CVS Plugin 2.17 disables external entity resolution for its XML parser.",
"id": "GHSA-g9hg-x9c9-7xgr",
"modified": "2023-10-27T13:17:26Z",
"published": "2022-05-24T17:35:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2324"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/cvs-plugin/commit/ff121443b282c8dbd6a5ee4841f152f78e4a5954"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/cvs-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2020-12-03/#SECURITY-2146"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/12/03/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "XXE vulnerability in Jenkins CVS Plugin"
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.