Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1694 vulnerabilities reference this CWE, most recent first.

GHSA-JJ54-8F66-C5PC

Vulnerability from github – Published: 2025-06-10 20:10 – Updated: 2025-06-10 20:10
VLAI
Summary
[XBOW-025-068] XML External Entity (XXE) Processing Vulnerability in GeoServer WFS Service
Details

Summary

GeoServer Web Feature Service (WFS) web service was found to be vulnerable to GeoTools CVE-2025-30220 XML External Entity (XXE) processing attack.

It is possible to trigger the parsing of external DTDs and entities, bypassing standard entity resolvers. This allows for Out-of-Band (OOB) data exfiltration of local files accessible by the GeoServer process, and Service Side Request Forgery (SSRF).

Details

While direct entity resolution is managed by application property ENTITY_RESOLUTION_ALLOWLIST for XML Parsing, this restriction was not being used by the GeoTools library when building an in-memory XSD Library Schema representation.

This bypasses GeoServer's AllowListEntityResolver enabling XXE attacks.

PoC

No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS service.

Impact

  • Information Disclosure:

This vulnerability allows unauthenticated attackers to read arbitrary files from the server's filesystem that are accessible to the GeoServer process.

This can lead to exposure of sensitive information including configuration files, credentials, and system files. The attack can be performed remotely without authentication, making it particularly severe.

  • Server-Side Request Forgery (SSRF)

The mechanism inherently allows forcing GeoServer to make HTTP requests to arbitrary URLs, enabling SSRF attacks against internal network resources

References

Acknowledgements

This vulnerability was initially reported via an automated tool described below. Subsequently a duplicate report via @YacineF, and their patience working with the GeoServer project, was instrumental finding in escalating this issue and determining a resolution.

XBOW-025-068 Disclaimer

This vulnerability was detected using XBOW, a system that autonomously finds and exploits potential security vulnerabilities. The finding has been thoroughly reviewed and validated by a security researcher before submission. While XBOW is intended to work autonomously, during its development human experts ensure the accuracy and relevance of its reports.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geoserver.web:gs-web-app"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.27.0"
            },
            {
              "fixed": "2.27.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.27.0"
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geoserver:gs-wfs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.27.0"
            },
            {
              "fixed": "2.27.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.27.0"
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.26.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.geoserver.web:gs-web-app"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.26.0"
            },
            {
              "fixed": "2.26.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.26.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.geoserver:gs-wfs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.26.0"
            },
            {
              "fixed": "2.26.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.25.6"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.geoserver.web:gs-web-app"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.25.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.25.6"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.geoserver:gs-wfs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.25.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-30220"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611",
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-10T20:10:06Z",
    "nvd_published_at": "2025-06-10T16:15:37Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nGeoServer Web Feature Service (WFS) web service was found to be vulnerable to GeoTools CVE-2025-30220 XML External Entity (XXE) processing attack.\n\nIt is possible to trigger the parsing of external DTDs and entities, bypassing standard entity resolvers.  This allows for Out-of-Band (OOB) data exfiltration of local files accessible by the GeoServer process, and Service Side Request Forgery (SSRF).\n\n## Details\n\nWhile direct entity resolution is managed by application property ENTITY_RESOLUTION_ALLOWLIST for XML Parsing, this restriction was not being used by the GeoTools library when building an in-memory XSD Library Schema representation.\n\nThis bypasses GeoServer\u0027s AllowListEntityResolver enabling XXE attacks.\n\n## PoC\n\nNo public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS service.\n\n## Impact\n\n* Information Disclosure: \n\n  This vulnerability allows unauthenticated attackers to read arbitrary files from the server\u0027s filesystem that are accessible to the GeoServer process.\n  \n  This can lead to exposure of sensitive information including configuration files, credentials, and system files. The attack can be performed remotely without authentication, making it particularly severe.\n\n* Server-Side Request Forgery (SSRF) \n  \n  The mechanism inherently allows forcing GeoServer to make HTTP requests to arbitrary URLs, enabling SSRF attacks against internal network resources \n\n## References\n\n* [CVE-2025-30220](https://github.com/geotools/geotools/security/advisories/GHSA-826p-4gcg-35vw) XML External Entity (XXE) Processing Vulnerability in XSD schema handling\n* [External Entities Resolution](https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities) (GeoServer User Manual)\n\n## Acknowledgements\n\nThis vulnerability was initially reported via an automated tool described below. Subsequently a duplicate report via @YacineF, and their patience working with the GeoServer project, was instrumental finding in escalating this issue and determining a resolution.\n\n### XBOW-025-068 Disclaimer\n\nThis vulnerability was detected using **[XBOW](https://xbow.com/)**, a system that autonomously finds and exploits potential security vulnerabilities. The finding has been thoroughly reviewed and validated by a security researcher before submission. While XBOW is intended to work autonomously, during its development human experts ensure the accuracy and relevance of its reports.",
  "id": "GHSA-jj54-8f66-c5pc",
  "modified": "2025-06-10T20:10:07Z",
  "published": "2025-06-10T20:10:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-2p76-gc46-5fvc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-jj54-8f66-c5pc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/geotools/geotools/security/advisories/GHSA-826p-4gcg-35vw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30220"
    },
    {
      "type": "WEB",
      "url": "https://github.com/geonetwork/core-geonetwork/pull/8757"
    },
    {
      "type": "WEB",
      "url": "https://github.com/geonetwork/core-geonetwork/pull/8803"
    },
    {
      "type": "WEB",
      "url": "https://github.com/geonetwork/core-geonetwork/pull/8812"
    },
    {
      "type": "WEB",
      "url": "https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/geoserver/geoserver"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "[XBOW-025-068] XML External Entity (XXE) Processing Vulnerability in GeoServer WFS Service"
}

GHSA-JJ7F-WQMM-8Q5F

Vulnerability from github – Published: 2022-05-17 00:35 – Updated: 2022-05-17 00:35
VLAI
Details

An XXE vulnerability has been identified in OPC Foundation UA .NET Sample Code before 2017-03-21 and Local Discovery Server (LDS) before 1.03.367. Among the affected products are Siemens SIMATIC PCS7 (All versions V8.1 and earlier), SIMATIC WinCC (All versions < V7.4 SP1), SIMATIC WinCC Runtime Professional (All versions < V14 SP1), SIMATIC NET PC Software, and SIMATIC IT Production Suite. By sending specially crafted packets to the OPC Discovery Server at port 4840/tcp, an attacker might cause the system to access various resources chosen by the attacker.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-12069"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-08-30T19:29:00Z",
    "severity": "HIGH"
  },
  "details": "An XXE vulnerability has been identified in OPC Foundation UA .NET Sample Code before 2017-03-21 and Local Discovery Server (LDS) before 1.03.367. Among the affected products are Siemens SIMATIC PCS7 (All versions V8.1 and earlier), SIMATIC WinCC (All versions \u003c V7.4 SP1), SIMATIC WinCC Runtime Professional (All versions \u003c V14 SP1), SIMATIC NET PC Software, and SIMATIC IT Production Suite. By sending specially crafted packets to the OPC Discovery Server at port 4840/tcp, an attacker might cause the system to access various resources chosen by the attacker.",
  "id": "GHSA-jj7f-wqmm-8q5f",
  "modified": "2022-05-17T00:35:07Z",
  "published": "2022-05-17T00:35:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12069"
    },
    {
      "type": "WEB",
      "url": "https://opcfoundation-onlineapplications.org/faq/SecurityBulletins/OPC_Foundation_Security_Bulletin_CVE-2017-12069.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-535640.pdf"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/100559"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1039510"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JJP7-4G9F-H4V5

Vulnerability from github – Published: 2022-05-13 01:04 – Updated: 2022-05-13 01:04
VLAI
Details

A XML external entity (XXE) vulnerability exists in the import.cgi of the web interface component of the Schneider Electric's Pelco Sarix Professional in all firmware versions prior to 3.29.67.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-7230"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-03-09T23:29:00Z",
    "severity": "HIGH"
  },
  "details": "A XML external entity (XXE) vulnerability exists in the import.cgi of the web interface component of the Schneider Electric\u0027s Pelco Sarix Professional in all firmware versions prior to 3.29.67.",
  "id": "GHSA-jjp7-4g9f-h4v5",
  "modified": "2022-05-13T01:04:05Z",
  "published": "2022-05-13T01:04:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7230"
    },
    {
      "type": "WEB",
      "url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-058-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JJWR-5CFH-7XWH

Vulnerability from github – Published: 2025-07-15 18:04 – Updated: 2025-07-15 18:04
VLAI
Summary
DSpace is vulnerable to XML External Entity injection during archive imports
Details

Impact

Two related XXE injection possibilities have been discovered, impacting all versions of DSpace prior to 7.6.4, 8.2 and 9.1.

  1. External entities are not disabled when parsing XML files during import of an archive (in Simple Archive Format), either from command-line (./dspace import command) or from the "Batch Import (Zip)" user interface feature. (Likely impacts all versions of DSpace 1.x <= 7.6.3, 8.0 <= 8.1, and 9.0)
  2. External entities are also not explicitly disabled when parsing XML responses from some upstream services (ArXiv, Crossref, OpenAIRE, Creative Commons) used in import from external sources via the user interface or REST API. (Impacts all versions of DSpace 7.0 <= 7.6.3, 8.0 <= 8.1 and 9.0)

An XXE injection in these files may result in a connection being made to an attacker's site or a local path readable by the Tomcat user, with content potentially being injected into a metadata field. In the latter case, this may result in sensitive content disclosure, including retrieving arbitrary files or configurations from the server where DSpace is running or content from remote URLs. The ability to include content from a remote URL could result in a request forgery attack, and disclosure of sensitive information in the response.

The Simple Archive Format (SAF) importer / Batch Import (Zip) is only usable by site administrators (from user interface / REST API) or system administrators (from command-line). Therefore, to exploit this vulnerability, the malicious payload would have to be provided by an attacker and trusted by an administrator (who would trigger the import). * The most severe practical impact is a case where an attacker obtains DSpace administrator credentials and uses the Batch Import feature with a malicious SAF archive to expose sensitive local files readable by the Tomcat user, or secrets and access tokens from an authenticated service via request forgery. * An attacker without administrative credentials might use some other tactic to convince an administrator to import a malicious SAF archive they have supplied.

The Import from External Sources feature has a narrower attack vector. While this feature is usable by any DSpace Submitter, the malicious payload must be provided by the external source (e.g. arXiv, Crossref, OpenAIRE, or Creative Commons). No known method exists for an attacker to inject XXE via content uploads. Instead, the service itself would need to be compromised in such a way that it would inject a malicious payload into its API response.

Patches

The fix is included in DSpace 7.6.4, 8.2 and 9.1. Please upgrade to one of these versions.

If you cannot upgrade immediately, it is possible to manually patch your DSpace backend. (No changes are necessary to the frontend.) A pull request exists which can be used to patch systems running DSpace 7.6.x, 8.x or 9.0. This pull request provides central methods to retrieve Java XML, SAX, JAXB XML document builders with safe default settings, including XXE protection. * Pull request for 7.x: https://github.com/DSpace/DSpace/pull/11032 (Downloadable patch file) * Pull request for 8.x: https://github.com/DSpace/DSpace/pull/11034 (Downloadable patch file) * Pull request for 9.0: https://github.com/DSpace/DSpace/pull/11035 (Downloadable patch file)

Apply the patch to your DSpace

If at all possible, we recommend upgrading your DSpace site based on the upgrade instructions. However, if you are unable to do so, you can manually apply the above patches to your DSpace backend as follows: 1. Download the appropriate patch file to the machine where DSpace backend is running 2. From the [dspace-src] folder, apply the patch, e.g. git apply [name-of-file].patch 3. Now, update your DSpace site (based loosely on the Upgrade instructions). This generally involves three steps: 1. Rebuild DSpace, e.g. mvn -U clean package (This will recompile all DSpace backend code) 2. Redeploy DSpace, e.g. ant update (This will copy all newly built code to your installation directory). Depending on your setup you also may need to copy the updated "server" webapp over to your Tomcat webapps folder. 3. Restart Tomcat (or runnable JAR)

Workarounds

Patching the system is the recommended fix. It is not possible to fully protect your system via workarounds.

That said, until you are able to patch your system or upgrade, you can apply these best practices: * Administrators must carefully inspect any SAF archives (they did not construct themselves) before importing. If SAF archives are too large to manually inspect, you should avoid importing them until your site is patched. * As necessary, affected external services can be disabled (see documentation) to mitigate the ability for a malicious payload to be delivered via external service APIs.

Credits

Discovered & reported by Pablo Picurelli Ortiz (@superpegaso2703) Code fix developed by Kim Shepherd (@kshepherd) of The Library Code

For more information

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.dspace:dspace-api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.6.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.dspace:dspace-api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0"
            },
            {
              "fixed": "8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.dspace:dspace-api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0"
            },
            {
              "fixed": "9.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-53621"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-15T18:04:53Z",
    "nvd_published_at": "2025-07-15T15:15:25Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nTwo related XXE injection possibilities have been discovered, **impacting all versions of DSpace prior to 7.6.4, 8.2 and 9.1**.\n\n1. External entities are not disabled when parsing XML files during import of an archive (in [Simple Archive Format](https://wiki.lyrasis.org/pages/viewpage.action?pageId=104566653)), either from command-line (`./dspace import` command) or from the \"Batch Import (Zip)\" user interface feature.  _(Likely impacts all versions of DSpace 1.x \u003c= 7.6.3, 8.0 \u003c= 8.1, and 9.0)_\n2. External entities are also not explicitly disabled when parsing XML responses from some upstream services (ArXiv, Crossref, OpenAIRE, Creative Commons) used in [import from external sources](https://wiki.lyrasis.org/pages/viewpage.action?pageId=104566672) via the user interface or REST API. _(Impacts all versions of DSpace 7.0 \u003c= 7.6.3, 8.0 \u003c= 8.1 and 9.0)_\n\nAn XXE injection in these files may result in a connection being made to an attacker\u0027s site or a local path readable by the Tomcat user, with content potentially being injected into a metadata field. In the latter case, this may result in sensitive content disclosure, including retrieving arbitrary files or configurations from the server where DSpace is running or content from remote URLs. The ability to include content from a remote URL could result in a request forgery attack, and disclosure of sensitive information in the  response.\n\n**The Simple Archive Format (SAF) importer / Batch Import (Zip) is only usable by site administrators** (from user interface / REST API) or system administrators (from command-line).  Therefore, to exploit this vulnerability, the malicious payload would have to be provided by an attacker and trusted by an administrator (who would trigger the import).\n* **The most severe practical impact** is a case where an attacker obtains DSpace administrator credentials and uses the Batch Import feature with a malicious SAF archive to expose sensitive local files readable by the Tomcat user, or secrets and access tokens from an authenticated service via request forgery.\n* An attacker without administrative credentials might use some other tactic to convince an administrator to import a malicious SAF archive they have supplied.\n\n**The Import from External Sources feature has a narrower attack vector**.  While this feature is usable by any DSpace Submitter, the malicious payload must be provided *by the external source* (e.g. arXiv, Crossref, OpenAIRE, or Creative Commons).  No known method exists for an attacker to inject XXE via content uploads. Instead, the service itself would need to be compromised in such a way that it would inject a malicious payload into its API response.\n\n### Patches\n\nThe fix is included in DSpace 7.6.4, 8.2 and 9.1. Please upgrade to one of these versions.\n\nIf you cannot upgrade immediately, it is possible to manually patch your DSpace backend. (No changes are necessary to the frontend.)  A pull request exists which can be used to patch systems running DSpace 7.6.x, 8.x or 9.0. This pull request provides central methods to retrieve Java XML, SAX, JAXB XML document builders with safe default settings, including XXE protection.\n* Pull request for 7.x: https://github.com/DSpace/DSpace/pull/11032 ([Downloadable patch file](https://github.com/DSpace/DSpace/pull/11032.patch))\n* Pull request for 8.x: https://github.com/DSpace/DSpace/pull/11034 ([Downloadable patch file](https://github.com/DSpace/DSpace/pull/11034.patch))\n* Pull request for 9.0: https://github.com/DSpace/DSpace/pull/11035 ([Downloadable patch file](https://github.com/DSpace/DSpace/pull/11035.patch))\n\n#### Apply the patch to your DSpace\nIf at all possible, we recommend upgrading your DSpace site based on the upgrade instructions. However, if you are unable to do so, you can manually apply the above patches to your DSpace backend as follows:\n1. Download the appropriate patch file to the machine where DSpace backend is running\n2. From the `[dspace-src]` folder, apply the patch, e.g. `git apply [name-of-file].patch`\n3. Now, update your DSpace site (based loosely on the Upgrade instructions). This generally involves three steps:\n    1. Rebuild DSpace, e.g. `mvn -U clean package`  (This will recompile all DSpace backend code)\n    2. Redeploy DSpace, e.g. `ant update`  (This will copy all newly built code to your installation directory). Depending on your setup you also may need to copy the updated \"server\" webapp over to your Tomcat webapps folder.\n    3. Restart Tomcat (or runnable JAR)\n\n### Workarounds\n**Patching the system is the recommended fix.** It is not possible to fully protect your system via workarounds.\n\nThat said, until you are able to patch your system or upgrade, you can apply these best practices:\n* Administrators must carefully inspect any SAF archives (they did not construct themselves) before importing.  If SAF archives are too large to manually inspect, you should avoid importing them until your site is patched.\n* As necessary, affected external services can be disabled (see [documentation](https://wiki.lyrasis.org/pages/viewpage.action?pageId=104566672)) to mitigate the ability for a malicious payload to be delivered via external service APIs.\n\n\n### Credits\nDiscovered \u0026 reported by Pablo Picurelli Ortiz (@superpegaso2703)\nCode fix developed by Kim Shepherd (@kshepherd) of The Library Code\n\n### For more information\n* [XXE Cheat Sheet / Explanations](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n* If you have any questions or comments about this advisory, please contact us at [security@dspace.org](mailto:security@dspace.org)",
  "id": "GHSA-jjwr-5cfh-7xwh",
  "modified": "2025-07-15T18:04:53Z",
  "published": "2025-07-15T18:04:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/DSpace/DSpace/security/advisories/GHSA-jjwr-5cfh-7xwh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53621"
    },
    {
      "type": "WEB",
      "url": "https://github.com/DSpace/DSpace/pull/11032"
    },
    {
      "type": "WEB",
      "url": "https://github.com/DSpace/DSpace/pull/11032.patch"
    },
    {
      "type": "WEB",
      "url": "https://github.com/DSpace/DSpace/pull/11034"
    },
    {
      "type": "WEB",
      "url": "https://github.com/DSpace/DSpace/pull/11034.patch"
    },
    {
      "type": "WEB",
      "url": "https://github.com/DSpace/DSpace/pull/11035"
    },
    {
      "type": "WEB",
      "url": "https://github.com/DSpace/DSpace/pull/11035.patch"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/DSpace/DSpace"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "DSpace is vulnerable to XML External Entity injection during archive imports "
}

GHSA-JJX4-28Q5-R3GR

Vulnerability from github – Published: 2025-10-24 15:31 – Updated: 2025-10-24 15:31
VLAI
Details

Dell Storage Center - Dell Storage Manager, version(s) 20.1.20, contain(s) an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-46425"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-24T14:15:42Z",
    "severity": "MODERATE"
  },
  "details": "Dell Storage Center - Dell Storage Manager, version(s) 20.1.20, contain(s) an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access.",
  "id": "GHSA-jjx4-28q5-r3gr",
  "modified": "2025-10-24T15:31:26Z",
  "published": "2025-10-24T15:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46425"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000382899/dsa-2025-393-security-update-for-storage-center-dell-storage-manager-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JJXH-VPF5-JM42

Vulnerability from github – Published: 2025-01-22 00:33 – Updated: 2025-01-22 15:32
VLAI
Details

An XML External Entity (XXE) vulnerability exists in the Ambari/Oozie project, allowing an attacker to inject malicious XML entities. This vulnerability occurs due to insecure parsing of XML input using the DocumentBuilderFactory class without disabling external entity resolution. An attacker can exploit this vulnerability to read arbitrary files on the server or perform server-side request forgery (SSRF) attacks. The issue has been fixed in both Ambari 2.7.9 and the trunk branch.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-23195"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-21T22:15:12Z",
    "severity": "HIGH"
  },
  "details": "An XML External Entity (XXE) vulnerability exists in the Ambari/Oozie \nproject, allowing an attacker to inject malicious XML entities. This \nvulnerability occurs due to insecure parsing of XML input using the \n`DocumentBuilderFactory` class without disabling external entity \nresolution. An attacker can exploit this vulnerability to read arbitrary\n files on the server or perform server-side request forgery (SSRF) \nattacks. The issue has been fixed in both Ambari 2.7.9 and the trunk \nbranch.",
  "id": "GHSA-jjxh-vpf5-jm42",
  "modified": "2025-01-22T15:32:33Z",
  "published": "2025-01-22T00:33:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23195"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/hsb6mvxd7g37dq1ygtd0pd88gs9tfcwq"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/01/21/7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JMHH-HG4R-G2C2

Vulnerability from github – Published: 2022-05-13 01:09 – Updated: 2025-04-20 03:40
VLAI
Details

xmlsec 1.2.23 and before is vulnerable to XML External Entity Expansion when parsing crafted input documents, resulting in possible information disclosure or denial of service

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-1000061"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-07-17T13:18:00Z",
    "severity": "HIGH"
  },
  "details": "xmlsec 1.2.23 and before is vulnerable to XML External Entity Expansion when parsing crafted input documents, resulting in possible information disclosure or denial of service",
  "id": "GHSA-jmhh-hg4r-g2c2",
  "modified": "2025-04-20T03:40:45Z",
  "published": "2022-05-13T01:09:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000061"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lsh123/xmlsec/issues/43"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:2492"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3PWHBRWXR3RNPHDSTQI6UWDG5ETOQ7VR"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3PWHBRWXR3RNPHDSTQI6UWDG5ETOQ7VR"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JPX5-QV8Q-FWXP

Vulnerability from github – Published: 2024-03-28 21:30 – Updated: 2024-03-28 21:30
VLAI
Details

Dell PowerProtect Data Manager, version 19.15, contains an XML External Entity Injection vulnerability. A remote high privileged attacker could potentially exploit this vulnerability, leading to information disclosure, denial-of-service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-25971"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-28T19:15:48Z",
    "severity": "MODERATE"
  },
  "details": "Dell PowerProtect Data Manager, version 19.15, contains an XML External Entity Injection vulnerability. A remote high privileged attacker could potentially exploit this vulnerability, leading to information disclosure, denial-of-service.",
  "id": "GHSA-jpx5-qv8q-fwxp",
  "modified": "2024-03-28T21:30:31Z",
  "published": "2024-03-28T21:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25971"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000223556/dsa-2024-132-security-update-dell-power-protect-data-manager-for-multiple-security-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JQ6W-J2RM-C2QQ

Vulnerability from github – Published: 2023-03-22 00:30 – Updated: 2023-03-23 18:30
VLAI
Details

Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-41696"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-21T23:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.",
  "id": "GHSA-jq6w-j2rm-c2qq",
  "modified": "2023-03-23T18:30:19Z",
  "published": "2023-03-22T00:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41696"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-05"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JQ8C-J47C-VVWM

Vulnerability from github – Published: 2022-09-23 00:00 – Updated: 2022-09-27 22:14
VLAI
Summary
Apache SOAP's RPCRouterServlet allows reading of arbitrary files over HTTP
Details

An Improper Restriction of XML External Entity Reference vulnerability in RPCRouterServlet of Apache SOAP allows an attacker to read arbitrary files over HTTP. This issue affects Apache SOAP version 2.2 and later versions. It is unknown whether previous versions are also affected. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "soap:soap"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2"
            },
            {
              "last_affected": "2.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-40705"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-27T22:14:56Z",
    "nvd_published_at": "2022-09-22T09:15:00Z",
    "severity": "HIGH"
  },
  "details": "An Improper Restriction of XML External Entity Reference vulnerability in RPCRouterServlet of Apache SOAP allows an attacker to read arbitrary files over HTTP. This issue affects Apache SOAP version 2.2 and later versions. It is unknown whether previous versions are also affected. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.",
  "id": "GHSA-jq8c-j47c-vvwm",
  "modified": "2022-09-27T22:14:56Z",
  "published": "2022-09-23T00:00:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40705"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/02yo04w93rdjmllz4454lvodn5xzhwhl"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/09/22/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache SOAP\u0027s RPCRouterServlet allows reading of arbitrary files over HTTP"
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.