CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1694 vulnerabilities reference this CWE, most recent first.
GHSA-HR8P-76Q8-FXWQ
Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2023-10-27 16:07Jenkins Performance Plugin 3.20 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers able to control workspace contents to have Jenkins parse a crafted XML report file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
As of publication of this advisory, there is no fix.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:performance"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.20"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-21701"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-15T16:49:26Z",
"nvd_published_at": "2021-11-12T11:15:00Z",
"severity": "MODERATE"
},
"details": "Jenkins Performance Plugin 3.20 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.\n\nThis allows attackers able to control workspace contents to have Jenkins parse a crafted XML report file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.\n\nAs of publication of this advisory, there is no fix.",
"id": "GHSA-hr8p-76q8-fxwq",
"modified": "2023-10-27T16:07:43Z",
"published": "2022-05-24T19:20:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21701"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/performance-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2021-11-12/#SECURITY-2394"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-1313"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/11/12/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "XXE vulnerability in Jenkins Performance Plugin"
}
GHSA-HVQH-VMW8-VHGV
Vulnerability from github – Published: 2022-05-17 02:34 – Updated: 2025-04-20 03:37An Improper XML Parser Configuration issue was discovered in Schneider Electric Wonderware Historian Client 2014 R2 SP1 and prior. An improperly restricted XML parser (with improper restriction of XML external entity reference, or XXE) may allow an attacker to enter malicious input through the application which could cause a denial of service or disclose file contents from a server or connected network.
{
"affected": [],
"aliases": [
"CVE-2017-7907"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-05-19T03:29:00Z",
"severity": "MODERATE"
},
"details": "An Improper XML Parser Configuration issue was discovered in Schneider Electric Wonderware Historian Client 2014 R2 SP1 and prior. An improperly restricted XML parser (with improper restriction of XML external entity reference, or XXE) may allow an attacker to enter malicious input through the application which could cause a denial of service or disclose file contents from a server or connected network.",
"id": "GHSA-hvqh-vmw8-vhgv",
"modified": "2025-04-20T03:37:51Z",
"published": "2022-05-17T02:34:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7907"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-122-01"
},
{
"type": "WEB",
"url": "http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000120"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/98254"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038542"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HVRH-GFRR-FGC9
Vulnerability from github – Published: 2025-05-07 15:31 – Updated: 2025-10-22 00:33SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives.
{
"affected": [],
"aliases": [
"CVE-2025-2776"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-07T15:15:57Z",
"severity": "CRITICAL"
},
"details": "SysAid On-Prem versions \u003c= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives.",
"id": "GHSA-hvrh-gfrr-fgc9",
"modified": "2025-10-22T00:33:18Z",
"published": "2025-05-07T15:31:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2776"
},
{
"type": "WEB",
"url": "https://documentation.sysaid.com/docs/24-40-60"
},
{
"type": "WEB",
"url": "https://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-2776"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-HVXH-2JJ9-WH53
Vulnerability from github – Published: 2025-01-17 12:30 – Updated: 2025-01-17 12:30CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause information disclosure, impacts workstation integrity and potential remote code execution on the compromised computer, when specific crafted XML file is imported in the Web Designer configuration tool.
{
"affected": [],
"aliases": [
"CVE-2024-12476"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-17T10:15:07Z",
"severity": "HIGH"
},
"details": "CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could\ncause information disclosure, impacts workstation integrity and potential remote code execution on the\ncompromised computer, when specific crafted XML file is imported in the Web Designer configuration tool.",
"id": "GHSA-hvxh-2jj9-wh53",
"modified": "2025-01-17T12:30:40Z",
"published": "2025-01-17T12:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12476"
},
{
"type": "WEB",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-014-04\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2025-014-04.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-HWC9-2QCX-R45X
Vulnerability from github – Published: 2022-02-11 00:00 – Updated: 2025-05-05 18:31Improper restriction of XML external entity for Intel(R) Quartus(R) Prime Pro Edition before version 21.3 may allow an authenticated user to potentially enable escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2022-21220"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-09T23:15:00Z",
"severity": "HIGH"
},
"details": "Improper restriction of XML external entity for Intel(R) Quartus(R) Prime Pro Edition before version 21.3 may allow an authenticated user to potentially enable escalation of privilege via local access.",
"id": "GHSA-hwc9-2qcx-r45x",
"modified": "2025-05-05T18:31:36Z",
"published": "2022-02-11T00:00:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21220"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00632.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HWJ3-M3P6-HJ38
Vulnerability from github – Published: 2020-06-05 16:13 – Updated: 2022-02-08 22:06dom4j before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.
Note: This advisory applies to dom4j:dom4j version 1.x legacy artifacts. To resolve this a change to the latest version of org.dom4j:dom4j is recommended.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.dom4j:dom4j"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.dom4j:dom4j"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.0"
},
{
"fixed": "2.1.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "dom4j:dom4j"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.6.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-10683"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-04T19:38:22Z",
"nvd_published_at": "2020-05-01T19:15:00Z",
"severity": "CRITICAL"
},
"details": "dom4j before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.\n\nNote: This advisory applies to `dom4j:dom4j` version 1.x legacy artifacts. To resolve this a change to the latest version of `org.dom4j:dom4j` is recommended.",
"id": "GHSA-hwj3-m3p6-hj38",
"modified": "2022-02-08T22:06:12Z",
"published": "2020-06-05T16:13:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10683"
},
{
"type": "WEB",
"url": "https://github.com/dom4j/dom4j/issues/87"
},
{
"type": "WEB",
"url": "https://github.com/dom4j/dom4j/commit/1707bf3d898a8ada3b213acb0e3b38f16eaae73d"
},
{
"type": "WEB",
"url": "https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4575-1"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20200518-0002"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51@%3Cnotifications.freemarker.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32@%3Cdev.velocity.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8@%3Cdev.velocity.apache.org%3E"
},
{
"type": "WEB",
"url": "https://github.com/dom4j/dom4j/releases/tag/version-2.1.3"
},
{
"type": "WEB",
"url": "https://github.com/dom4j/dom4j/commits/version-2.0.3"
},
{
"type": "PACKAGE",
"url": "https://github.com/dom4j/dom4j"
},
{
"type": "WEB",
"url": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1694235"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "dom4j allows External Entities by default which might enable XXE attacks"
}
GHSA-HX54-PF28-7XCH
Vulnerability from github – Published: 2024-06-07 21:31 – Updated: 2024-10-30 21:36An XML External Entity (XXE) vulnerability in the ebookmeta.get_metadata function via lxml dependency allows attackers to access sensitive information or cause a Denial of Service (DoS) via crafted XML input.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ebookmeta"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-37388"
],
"database_specific": {
"cwe_ids": [
"CWE-611",
"CWE-776"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-07T21:54:46Z",
"nvd_published_at": "2024-06-07T19:15:24Z",
"severity": "HIGH"
},
"details": "An XML External Entity (XXE) vulnerability in the `ebookmeta.get_metadata` function via lxml dependency allows attackers to access sensitive information or cause a Denial of Service (DoS) via crafted XML input.",
"id": "GHSA-hx54-pf28-7xch",
"modified": "2024-10-30T21:36:34Z",
"published": "2024-06-07T21:31:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37388"
},
{
"type": "WEB",
"url": "https://github.com/dnkorpushov/ebookmeta/issues/16#issue-2317712335"
},
{
"type": "PACKAGE",
"url": "https://github.com/dnkorpushov/ebookmeta"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "ebookmeta XML External Entity vulnerability"
}
GHSA-HXFR-CCXH-4WCM
Vulnerability from github – Published: 2022-08-02 00:00 – Updated: 2022-08-05 00:00IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 228359.
{
"affected": [],
"aliases": [
"CVE-2022-31775"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-01T11:15:00Z",
"severity": "CRITICAL"
},
"details": "IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 228359.",
"id": "GHSA-hxfr-ccxh-4wcm",
"modified": "2022-08-05T00:00:25Z",
"published": "2022-08-02T00:00:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31775"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/228359"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6608608"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HXJP-Q6C3-38FX
Vulnerability from github – Published: 2023-02-10 09:30 – Updated: 2024-10-14 14:14The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references. Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.nifi:nifi-ccda-processors"
},
"ranges": [
{
"events": [
{
"introduced": "1.2.0"
},
{
"fixed": "1.20.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-22832"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2023-02-10T22:41:43Z",
"nvd_published_at": "2023-02-10T08:15:00Z",
"severity": "HIGH"
},
"details": "The ExtractCCDAAttributes Processor in Apache NiFi 1.2.0 through 1.19.1 does not restrict XML External Entity references. Flow configurations that include the ExtractCCDAAttributes Processor are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations and disallows XML External Entity resolution in the ExtractCCDAAttributes Processor.",
"id": "GHSA-hxjp-q6c3-38fx",
"modified": "2024-10-14T14:14:56Z",
"published": "2023-02-10T09:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22832"
},
{
"type": "WEB",
"url": "https://github.com/apache/nifi/commit/e966336e8966cf0cbbd12a2c4f2d73a7ceb75cd8"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/nifi"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/b51qs6y7b7r58vovddkv6wc16g2xbl3w"
},
{
"type": "WEB",
"url": "https://nifi.apache.org/security.html#CVE-2023-22832"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "XML External Entity Reference in Apache NiFi"
}
GHSA-HXV5-FPM3-VHQH
Vulnerability from github – Published: 2025-05-07 15:31 – Updated: 2025-05-07 15:31SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the lshw processing functionality, allowing for administrator account takeover and file read primitives.
{
"affected": [],
"aliases": [
"CVE-2025-2777"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-07T15:15:57Z",
"severity": "CRITICAL"
},
"details": "SysAid On-Prem versions \u003c= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the lshw processing functionality, allowing for administrator account takeover and file read primitives.",
"id": "GHSA-hxv5-fpm3-vhqh",
"modified": "2025-05-07T15:31:42Z",
"published": "2025-05-07T15:31:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2777"
},
{
"type": "WEB",
"url": "https://documentation.sysaid.com/docs/24-40-60"
},
{
"type": "WEB",
"url": "https://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.