Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1694 vulnerabilities reference this CWE, most recent first.

GHSA-H7PC-9M8F-584G

Vulnerability from github – Published: 2021-12-09 00:01 – Updated: 2021-12-14 00:01
VLAI
Details

National Library of the Netherlands multiNER <= c0440948057afc6e3d6b4903a7c05e666b94a3bc is affected by an XML External Entity (XXE) vulnerability in multiNER/ner.py. Since XML parsing resolves external entities, a malicious XML stream could leak internal files and/or cause a DoS.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-44557"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-08T12:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "National Library of the Netherlands multiNER \u003c= c0440948057afc6e3d6b4903a7c05e666b94a3bc is affected by an XML External Entity (XXE) vulnerability in multiNER/ner.py. Since XML parsing resolves external entities, a malicious XML stream could leak internal files and/or cause a DoS.",
  "id": "GHSA-h7pc-9m8f-584g",
  "modified": "2021-12-14T00:01:39Z",
  "published": "2021-12-09T00:01:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44557"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KBNLresearch/multiNER/pull/3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KBNLresearch/multiNER"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-H7QF-QMF3-85QG

Vulnerability from github – Published: 2025-06-25 14:14 – Updated: 2025-06-25 14:14
VLAI
Summary
Allure Report allows Improper XXE Restriction via DocumentBuilderFactory
Details

Summary

A critical XML External Entity (XXE) vulnerability exists in the xunit-xml-plugin used by Allure 2. The plugin fails to securely configure the XML parser (DocumentBuilderFactory) and allows external entity expansion when processing test result .xml files. This allows attackers to read arbitrary files from the file system and potentially trigger server-side request forgery (SSRF).

Details

In \allure2-main\plugins\xunit-xml-plugin\src\main\java\io\qameta\allure\xunitxml\XunitXmlPlugin.java the application uses DocumentBuilderFactory without disabling DTDs or external entities. By generating a report with a malicious xml file within it, an attacker can perform XXE to leverage SSRF, or to read system files.

PoC

To recreate this vulnerability, you need to install allure for command-line (In my POC I used a Windows 11 Machine).

  1. Create a folder called allure, and within it, create a malicious XML file. I will attach my SSRF and file reading payloads, however, for the rest of the POC, I will focus on reading system files for better screenshots.

SSRF (replace webhook link with your own)

image

Reading System Files

image

  1. Put the malicious .xml file into the allure directory created previously
  2. Run the following command to run the report allure generate C:\path\to\directory\allure -o report --clean
  3. To view and confirm the executed payload, run allure open report
  4. When the report opens, confirm the payload executedby going to Categories > Product defects > <payload response> image

Impact

The explained XXE vulnerability can lead to Arbitrary File Disclosure and Server-Side Request Forgery. This exploitation can also be carried out silently, meaning it can be carried out without user interaction if the tool is automated within an application, and can go undetected with a carefully crafted payload. This could allow a malicious actor to view other source codes which may contain API or product keys, internal application URLs, or other secret items. This makes it an especially high risk when ran within a CI/CD platform.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.34.0"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "io.qameta.allure.plugins:xunit-xml-plugin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.34.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.34.0"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "io.qameta.allure.plugins:junit-xml-plugin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.34.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.34.0"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "io.qameta.allure.plugins:trx-plugin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.34.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-52888"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-25T14:14:09Z",
    "nvd_published_at": "2025-06-24T20:15:26Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nA critical XML External Entity (XXE) vulnerability exists in the xunit-xml-plugin used by Allure 2. The plugin fails to securely configure the XML parser (`DocumentBuilderFactory`) and allows external entity expansion when processing test result .xml files. This allows attackers to read arbitrary files from the file system and potentially trigger server-side request forgery (SSRF).\n\n### Details\nIn `\\allure2-main\\plugins\\xunit-xml-plugin\\src\\main\\java\\io\\qameta\\allure\\xunitxml\\XunitXmlPlugin.java` the application uses `DocumentBuilderFactory` without disabling DTDs or external entities. By generating a report with a malicious xml file within it, an attacker can perform XXE to leverage SSRF, or to read system files.\n\n### PoC\nTo recreate this vulnerability, you need to install allure for command-line (In my POC I used a Windows 11 Machine). \n\n1. Create a folder called `allure`, and within it, create a malicious XML file. I will attach my SSRF and file reading payloads, however, for the rest of the POC, I will focus on reading system files for better screenshots.\n##SSRF (replace webhook link with your own)\n![image](https://github.com/user-attachments/assets/a1a9a438-b6f1-4675-973f-a43847a84519)\n\n##Reading System Files\n![image](https://github.com/user-attachments/assets/eb0e1e60-1f76-42e7-b68d-2137bed62fe9)\n\n2. Put the malicious .xml file into the `allure` directory created previously\n3. Run the following command to run the report `allure generate C:\\path\\to\\directory\\allure -o report --clean`\n4. To view and confirm the executed payload, run `allure open report`\n5. When the report opens, confirm the payload executedby going to `Categories \u003e Product defects \u003e \u003cpayload response\u003e`\n![image](https://github.com/user-attachments/assets/e7244550-2e9f-4066-b282-86f1eb8cf5e4)\n\n\n\n### Impact\nThe explained XXE vulnerability can lead to Arbitrary File Disclosure and Server-Side Request Forgery. This exploitation can also be carried out silently, meaning it can be carried out without user interaction if the tool is automated within an application, and can go undetected with a carefully crafted payload. This could allow a malicious actor to view other source codes which may contain API or product keys, internal application URLs, or other secret items. This makes it an especially high risk when ran within a CI/CD platform.",
  "id": "GHSA-h7qf-qmf3-85qg",
  "modified": "2025-06-25T14:14:09Z",
  "published": "2025-06-25T14:14:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/allure-framework/allure2/security/advisories/GHSA-h7qf-qmf3-85qg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52888"
    },
    {
      "type": "WEB",
      "url": "https://github.com/allure-framework/allure2/commit/cbcb33719851ff70adce85d38e15d20fc58d4eb7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/allure-framework/allure2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Allure Report allows Improper XXE Restriction via DocumentBuilderFactory"
}

GHSA-H7WH-8CWV-QQM6

Vulnerability from github – Published: 2023-04-26 21:30 – Updated: 2024-04-04 03:42
VLAI
Details

Zoho ManageEngine ServiceDesk Plus through 14104 allows admin users to conduct an XXE attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-29443"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-26T21:15:08Z",
    "severity": "MODERATE"
  },
  "details": "Zoho ManageEngine ServiceDesk Plus through 14104 allows admin users to conduct an XXE attack.",
  "id": "GHSA-h7wh-8cwv-qqm6",
  "modified": "2024-04-04T03:42:09Z",
  "published": "2023-04-26T21:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29443"
    },
    {
      "type": "WEB",
      "url": "https://www.manageengine.com/products/service-desk/CVE-2023-29443.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H827-X5F6-X45J

Vulnerability from github – Published: 2022-05-24 19:01 – Updated: 2022-05-24 19:01
VLAI
Details

IBM QRadar SIEM 7.3 and 7.4 may vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 193245.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-5013"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-05T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "IBM QRadar SIEM 7.3 and 7.4 may vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 193245.",
  "id": "GHSA-h827-x5f6-x45j",
  "modified": "2022-05-24T19:01:24Z",
  "published": "2022-05-24T19:01:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5013"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/193245"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6449690"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-H87W-WJ3V-299R

Vulnerability from github – Published: 2023-07-19 06:31 – Updated: 2024-04-04 06:16
VLAI
Details

XBRL data create application version 7.0 and earlier improperly restricts XML external entity references (XXE). By processing a specially crafted XBRL file, arbitrary files on the system may be read by an attacker.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-32635"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-19T06:15:12Z",
    "severity": "MODERATE"
  },
  "details": "XBRL data create application version 7.0 and earlier improperly restricts XML external entity references (XXE). By processing a specially crafted XBRL file, arbitrary files on the system may be read by an attacker.",
  "id": "GHSA-h87w-wj3v-299r",
  "modified": "2024-04-04T06:16:55Z",
  "published": "2023-07-19T06:31:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32635"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN44726469"
    },
    {
      "type": "WEB",
      "url": "https://submit2.edinet-fsa.go.jp"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H896-MX9X-G32G

Vulnerability from github – Published: 2019-05-29 18:15 – Updated: 2022-11-17 17:55
VLAI
Summary
XML External Entity injection in Apache Camel
Details

Apache Camel prior to 2.24.0 contains an XML external entity injection (XXE) vulnerability (CWE-611) due to using an outdated vulnerable JSON-lib library. This affects only the camel-xmljson component, which was removed.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.camel:camel-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.24.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.camel:camel-xmljson"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.23.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-0188"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2019-05-29T18:15:06Z",
    "nvd_published_at": "2019-05-28T19:29:00Z",
    "severity": "HIGH"
  },
  "details": "Apache Camel prior to 2.24.0 contains an XML external entity injection (XXE) vulnerability (CWE-611) due to using an outdated vulnerable JSON-lib library. This affects only the camel-xmljson component, which was removed.",
  "id": "GHSA-h896-mx9x-g32g",
  "modified": "2022-11-17T17:55:41Z",
  "published": "2019-05-29T18:15:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0188"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/camel/blob/master/docs/user-manual/en/security-advisories/CVE-2019-0188.txt.asc"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/jira/browse/TAMAYA-410"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/00118387610522b107cbdcec5369ddd512b576ff0236a02bfca12f44@%3Cusers.camel.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/45349f8bd98c1c13a84beddede18fe79b8619ebab99d90f1fb43d7ab@%3Cdev.tamaya.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/61601cda2c5f9832184ea14647b0c0589c94126a460c8eb196be1313@%3Ccommits.tamaya.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/63d1cec8541befeb59dbed23a6b227bdcca7674aa234fb43354dac82@%3Ccommits.tamaya.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/6fefbd90f7fb4c8412d85ea3e9e97a4b76b47e206f502c73c29dc0b7@%3Ccommits.tamaya.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/84ba9b79e801a4148dde73d1969cdae0247d11ff63de7ce11b394dc5@%3Ccommits.tamaya.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4@%3Cissues.activemq.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/eed73fc18d4fa3e2341cd0ab101b47f06b16c7efc1cb73791c524c9d@%3Cdev.tamaya.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/fe74d173689600d9a395d026f0bf5d154c0bf7bd195ecfbc2c987036@%3Cdev.tamaya.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
    },
    {
      "type": "WEB",
      "url": "http://jvn.jp/en/jp/JVN71498764/index.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2019/05/24/2"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/108422"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XML External Entity injection in Apache Camel"
}

GHSA-H8F7-2HGQ-GR97

Vulnerability from github – Published: 2023-08-10 21:30 – Updated: 2023-11-03 21:30
VLAI
Details

Ivanti Avalanche decodeToMap XML External Entity Processing. Fixed in version 6.4.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-32567"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-10T19:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "Ivanti Avalanche decodeToMap XML External Entity Processing. Fixed in version 6.4.1.",
  "id": "GHSA-h8f7-2hgq-gr97",
  "modified": "2023-11-03T21:30:19Z",
  "published": "2023-08-10T21:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32567"
    },
    {
      "type": "WEB",
      "url": "https://download.wavelink.com/Files/avalanche_v6.4.1.236_release_notes.txt"
    },
    {
      "type": "WEB",
      "url": "https://forums.ivanti.com/s/article/Avalanche-Vulnerabilities-Addressed-in-6-4-1?language=en_US"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H8P8-6378-649P

Vulnerability from github – Published: 2023-01-26 21:30 – Updated: 2023-02-06 16:41
VLAI
Summary
XML external entity reference vulnerability on agents in Jenkins Semantic Versioning Plugin
Details

Jenkins Semantic Versioning Plugin 1.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:semantic-versioning-plugin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-24430"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-27T01:16:23Z",
    "nvd_published_at": "2023-01-26T21:18:00Z",
    "severity": "CRITICAL"
  },
  "details": "Jenkins Semantic Versioning Plugin 1.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.",
  "id": "GHSA-h8p8-6378-649p",
  "modified": "2023-02-06T16:41:27Z",
  "published": "2023-01-26T21:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24430"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/semantic-versioning-plugin/commit/8df2fabd7d7396ae29c374914d1357744d3e454f"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2973%20(2)"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XML external entity reference vulnerability on agents in Jenkins Semantic Versioning Plugin "
}

GHSA-H8Q5-G2CJ-QR5H

Vulnerability from github – Published: 2018-10-17 15:43 – Updated: 2022-04-26 21:46
VLAI
Summary
Apache Tika is vulnerable to entity expansions which can lead to a denial of service attack
Details

In Apache Tika 1.19 (CVE-2018-11761), we added an entity expansion limit for XML parsing. However, Tika reuses SAXParsers and calls reset() after each parse, which, for Xerces2 parsers, as per the documentation, removes the user-specified SecurityManager and thus removes entity expansion limits after the first parse. Apache Tika versions from 0.1 to 1.19 are therefore still vulnerable to entity expansions which can lead to a denial of service attack. Users should upgrade to 1.19.1 or later.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tika:tika-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.1"
            },
            {
              "fixed": "1.19.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-11796"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:39:33Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "In Apache Tika 1.19 (CVE-2018-11761), we added an entity expansion limit for XML parsing. However, Tika reuses SAXParsers and calls reset() after each parse, which, for Xerces2 parsers, as per the documentation, removes the user-specified SecurityManager and thus removes entity expansion limits after the first parse. Apache Tika versions from 0.1 to 1.19 are therefore still vulnerable to entity expansions which can lead to a denial of service attack. Users should upgrade to 1.19.1 or later.",
  "id": "GHSA-h8q5-g2cj-qr5h",
  "modified": "2022-04-26T21:46:04Z",
  "published": "2018-10-17T15:43:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11796"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:3892"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-h8q5-g2cj-qr5h"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/tika"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/88de8350cda9b184888ec294c813c5bd8a2081de8fd3666f8904bc05@%3Cdev.tika.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20190903-0002"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/105585"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Tika is vulnerable to entity expansions which can lead to a denial of service attack"
}

GHSA-H94W-8QHG-3XMC

Vulnerability from github – Published: 2025-05-05 09:31 – Updated: 2025-05-05 19:58
VLAI
Summary
WSO2 API Manager XML External Entity (XXE) vulnerability
Details

An XML External Entity (XXE) vulnerability exists in the gateway component of WSO2 API Manager due to insufficient validation of XML input in crafted URL paths. User-supplied XML is parsed without appropriate restrictions, enabling external entity resolution.

This vulnerability can be exploited by an unauthenticated remote attacker to read files from the server’s filesystem or perform denial-of-service (DoS) attacks.

  • On systems running JDK 7 or early JDK 8, full file contents may be exposed.

  • On later versions of JDK 8 and newer, only the first line of a file may be read, due to improvements in XML parser behavior.

  • DoS attacks such as "Billion Laughs" payloads can cause service disruption.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.wso2.am:am-distribution-parent"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-2905"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-05T19:58:08Z",
    "nvd_published_at": "2025-05-05T09:15:15Z",
    "severity": "CRITICAL"
  },
  "details": "An XML External Entity (XXE) vulnerability exists in the gateway component of WSO2 API Manager due to insufficient validation of XML input in crafted URL paths. User-supplied XML is parsed without appropriate restrictions, enabling external entity resolution.\n\nThis vulnerability can be exploited by an unauthenticated remote attacker to read files from the server\u2019s filesystem or perform denial-of-service (DoS) attacks.\n\n  *  On systems running JDK 7 or early JDK 8, full file contents may be exposed.\n\n  *  On later versions of JDK 8 and newer, only the first line of a file may be read, due to improvements in XML parser behavior.\n\n  *  DoS attacks such as \"Billion Laughs\" payloads can cause service disruption.",
  "id": "GHSA-h94w-8qhg-3xmc",
  "modified": "2025-05-05T19:58:08Z",
  "published": "2025-05-05T09:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2905"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/wso2/product-apim"
    },
    {
      "type": "WEB",
      "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3993"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "WSO2 API Manager XML External Entity (XXE) vulnerability"
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.