Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1693 vulnerabilities reference this CWE, most recent first.

GHSA-M739-F9CM-66X2

Vulnerability from github – Published: 2026-07-03 09:31 – Updated: 2026-07-08 18:31
VLAI
Details

Improper Restriction of XML External Entity Reference vulnerability in Apache Lucene.Net (Lucene.Net.Analysis.Common library).

This issue affects Apache Lucene.Net.Analysis.Common: from 4.8.0-beta00005 before 4.8.0-beta00018.

Users are recommended to upgrade to version 4.8.0-beta00018, which fixes the issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-47898"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-03T08:16:24Z",
    "severity": "MODERATE"
  },
  "details": "Improper Restriction of XML External Entity Reference vulnerability in Apache Lucene.Net (Lucene.Net.Analysis.Common library).\n\nThis issue affects Apache Lucene.Net.Analysis.Common: from 4.8.0-beta00005 before 4.8.0-beta00018.\n\nUsers are recommended to upgrade to version 4.8.0-beta00018, which fixes the issue.",
  "id": "GHSA-m739-f9cm-66x2",
  "modified": "2026-07-08T18:31:32Z",
  "published": "2026-07-03T09:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47898"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/7yn9k6sbbsk18yco5y2hszpcf8dst489"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/07/03/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-M745-JCVJ-8CX6

Vulnerability from github – Published: 2023-10-18 12:30 – Updated: 2025-10-22 00:32
VLAI
Details

Proself Enterprise/Standard Edition Ver5.62 and earlier, Proself Gateway Edition Ver1.65 and earlier, and Proself Mail Sanitize Edition Ver1.08 and earlier allow a remote unauthenticated attacker to conduct XML External Entity (XXE) attacks. By processing a specially crafted request containing malformed XML data, arbitrary files on the server containing account information may be read by the attacker.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-45727"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-18T10:15:08Z",
    "severity": "HIGH"
  },
  "details": "Proself Enterprise/Standard Edition Ver5.62 and earlier, Proself Gateway Edition Ver1.65 and earlier, and Proself Mail Sanitize Edition Ver1.08 and earlier allow a remote unauthenticated attacker to conduct XML External Entity (XXE) attacks. By processing a specially crafted request containing malformed XML data, arbitrary files on the server containing account information may be read by the attacker.",
  "id": "GHSA-m745-jcvj-8cx6",
  "modified": "2025-10-22T00:32:51Z",
  "published": "2023-10-18T12:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45727"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN95981460"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-45727"
    },
    {
      "type": "WEB",
      "url": "https://www.proself.jp/information/153"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M7JW-5WWC-GXWH

Vulnerability from github – Published: 2022-05-24 16:55 – Updated: 2022-10-14 12:00
VLAI
Details

An XML External Entity (XXE) processing vulnerability was reported in Lenovo XClarity Administrator (LXCA) prior to version 2.5.0 , Lenovo XClarity Integrator (LXCI) for Microsoft System Center prior to version 7.7.0, and Lenovo XClarity Integrator (LXCI) for VMWare vCenter prior to version 6.1.0 that could allow information disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-6179"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-09-03T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "An XML External Entity (XXE) processing vulnerability was reported in Lenovo XClarity Administrator (LXCA) prior to version 2.5.0 , Lenovo XClarity Integrator (LXCI) for Microsoft System Center prior to version 7.7.0, and Lenovo XClarity Integrator (LXCI) for VMWare vCenter prior to version 6.1.0 that could allow information disclosure.",
  "id": "GHSA-m7jw-5wwc-gxwh",
  "modified": "2022-10-14T12:00:18Z",
  "published": "2022-05-24T16:55:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6179"
    },
    {
      "type": "WEB",
      "url": "https://support.lenovo.com/solutions/LEN-27805"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M7M4-4VM8-55WG

Vulnerability from github – Published: 2022-05-24 17:06 – Updated: 2024-10-21 20:11
VLAI
Summary
PyAMF vulnerable to XML external entity (XXE)
Details

PyAMF provides Action Message Format (AMF) support for Python that is compatible with the Adobe Flash Player. It includes integration with Python web frameworks like Django, Pylons, Twisted, SQLAlchemy, web2py and more. XML external entity (XXE) vulnerability in PyAMF before 0.8.0 allows remote attackers to cause a denial of service or read arbitrary files via a crafted Action Message Format (AMF) payload.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pyamf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2015-8549"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-05-31T21:54:25Z",
    "nvd_published_at": "2020-01-15T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "PyAMF provides Action Message Format (AMF) support for Python that is compatible with the Adobe Flash Player. It includes integration with Python web frameworks like Django, Pylons, Twisted, SQLAlchemy, web2py and more. XML external entity (XXE) vulnerability in PyAMF before 0.8.0 allows remote attackers to cause a denial of service or read arbitrary files via a crafted Action Message Format (AMF) payload.",
  "id": "GHSA-m7m4-4vm8-55wg",
  "modified": "2024-10-21T20:11:40Z",
  "published": "2022-05-24T17:06:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8549"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hydralabs/pyamf/pull/58"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-m7m4-4vm8-55wg"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/hydralabs/pyamf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hydralabs/pyamf/releases/tag/v0.8.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/pyamf/PYSEC-2020-339.yaml"
    },
    {
      "type": "WEB",
      "url": "https://pypi.org/project/pyamf"
    },
    {
      "type": "WEB",
      "url": "http://www.ocert.org/advisories/ocert-2015-011.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "PyAMF vulnerable to XML external entity (XXE)"
}

GHSA-M7XH-548P-355R

Vulnerability from github – Published: 2025-12-24 06:30 – Updated: 2025-12-24 06:30
VLAI
Details

OpenXRechnungToolbox through 2024-10-05-3.0.0 before 6c50e89 allows XXE because the disallow-doctype-decl feature is not enabled in visualization/VisualizerImpl.java.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-58335"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-24T06:15:43Z",
    "severity": "MODERATE"
  },
  "details": "OpenXRechnungToolbox through 2024-10-05-3.0.0 before 6c50e89 allows XXE because the disallow-doctype-decl feature is not enabled in visualization/VisualizerImpl.java.",
  "id": "GHSA-m7xh-548p-355r",
  "modified": "2025-12-24T06:30:26Z",
  "published": "2025-12-24T06:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-58335"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jcthiele/OpenXRechnungToolbox/commit/6c50e8979924b09f336c976cbad3a9ebfe25ebf9"
    },
    {
      "type": "WEB",
      "url": "https://invoice.secvuln.info"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M84V-PJJQ-FHH8

Vulnerability from github – Published: 2022-05-24 17:00 – Updated: 2024-04-04 02:37
VLAI
Details

Advantech WISE-PaaS/RMM, Versions 3.3.29 and prior. XXE vulnerabilities exist that may allow disclosure of sensitive data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-18227"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-31T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "Advantech WISE-PaaS/RMM, Versions 3.3.29 and prior. XXE vulnerabilities exist that may allow disclosure of sensitive data.",
  "id": "GHSA-m84v-pjjq-fhh8",
  "modified": "2024-04-04T02:37:32Z",
  "published": "2022-05-24T17:00:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18227"
    },
    {
      "type": "WEB",
      "url": "https://www.us-cert.gov/ics/advisories/icsa-19-304-01"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-19-936"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-19-939"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-19-942"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-19-943"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-19-944"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-19-945"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-19-946"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-19-947"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-19-953"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-19-954"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-19-959"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M8CJ-3V68-3CXJ

Vulnerability from github – Published: 2024-06-13 09:31 – Updated: 2024-07-17 19:15
VLAI
Summary
Magento Open Source affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability
Details

Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "magento/community-edition"
      },
      "versions": [
        "2.4.4"
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "magento/community-edition"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.6-p1"
            },
            {
              "fixed": "2.4.6-p6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "magento/community-edition"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.5-p1"
            },
            {
              "fixed": "2.4.5-p8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "magento/community-edition"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.4.4-p9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "magento/community-edition"
      },
      "versions": [
        "2.4.5"
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "magento/community-edition"
      },
      "versions": [
        "2.4.6"
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "magento/community-edition"
      },
      "versions": [
        "2.4.7"
      ]
    }
  ],
  "aliases": [
    "CVE-2024-34102"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-13T19:33:57Z",
    "nvd_published_at": "2024-06-13T09:15:10Z",
    "severity": "CRITICAL"
  },
  "details": "Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction.",
  "id": "GHSA-m8cj-3v68-3cxj",
  "modified": "2024-07-17T19:15:32Z",
  "published": "2024-06-13T09:31:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34102"
    },
    {
      "type": "WEB",
      "url": "https://github.com/magento/magento2/commit/30877fce83b793f71421c47347885cf076e81799"
    },
    {
      "type": "WEB",
      "url": "https://github.com/magento/magento2/commit/a3c6d6e5e95e63031e4df26cfcf76feace7549c2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/magento/magento2/commit/c5c538810b87449886f4669cb8abbe8e5593c83c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/magento/magento2/commit/d10435b11ada4e502dca7539f8fd31d059d3c482#diff-84a0773a6287fbbaadf3b9103f4a137fc0b6946de2437ddfd6f60a0722cf8d23"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2024-34102.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/magento/magento2"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/magento/apsb24-40.html"
    },
    {
      "type": "WEB",
      "url": "https://www.vicarius.io/vsociety/posts/cosmicsting-critical-unauthenticated-xxe-vulnerability-in-adobe-commerce-and-magento-cve-2024-34102"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Magento Open Source affected by an Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) vulnerability"
}

GHSA-M8GJ-RHH9-783Q

Vulnerability from github – Published: 2025-03-05 18:32 – Updated: 2025-03-05 18:32
VLAI
Details

External XML entity injection allows arbitrary download of files. The score without least privilege principle violation is as calculated below. In combination with other issues it may facilitate further compromise of the device. Remediation in Version 6.8.0, release date: 01-Mar-25.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-24521"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-05T16:15:39Z",
    "severity": "MODERATE"
  },
  "details": "External XML entity injection allows arbitrary download of files. The \nscore without least privilege principle violation is as calculated \nbelow. In combination with other issues it may facilitate further \ncompromise of the device. Remediation in Version 6.8.0, release date: \n01-Mar-25.",
  "id": "GHSA-m8gj-rhh9-783q",
  "modified": "2025-03-05T18:32:09Z",
  "published": "2025-03-05T18:32:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24521"
    },
    {
      "type": "WEB",
      "url": "https://support.ixiacom.com"
    },
    {
      "type": "WEB",
      "url": "https://support.ixiacom.com/support-overview/product-support/downloads-updates"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-063-02"
    },
    {
      "type": "WEB",
      "url": "https://www.keysight.com/us/en/contact.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-M8GQ-83GH-V42V

Vulnerability from github – Published: 2022-03-16 00:00 – Updated: 2022-03-18 23:52
VLAI
Summary
XML External Entities Vulnerability in CVRF-CSAF-Converter
Details

CVRF-CSAF-Converter before 1.0.0-rc2 resolves XML External Entities (XXE). This leads to the inclusion of arbitrary (local) file content into the generated output document. An attacker can exploit this to disclose information from the system running the converter.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.0.0rc1"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "cvrf2csaf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.0rc2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-27193"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-552",
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-18T23:52:30Z",
    "nvd_published_at": "2022-03-15T05:15:00Z",
    "severity": "MODERATE"
  },
  "details": "CVRF-CSAF-Converter before 1.0.0-rc2 resolves XML External Entities (XXE). This leads to the inclusion of arbitrary (local) file content into the generated output document. An attacker can exploit this to disclose information from the system running the converter.",
  "id": "GHSA-m8gq-83gh-v42v",
  "modified": "2022-03-18T23:52:30Z",
  "published": "2022-03-16T00:00:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27193"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/csaf-tools/CVRF-CSAF-Converter"
    },
    {
      "type": "WEB",
      "url": "https://github.com/csaf-tools/CVRF-CSAF-Converter/releases/tag/1.0.0-rc2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XML External Entities Vulnerability in CVRF-CSAF-Converter"
}

GHSA-M929-7FR6-CVJG

Vulnerability from github – Published: 2018-10-17 17:23 – Updated: 2022-04-27 13:58
VLAI
Summary
Spring Data Commons, used in combination with XMLBeam, contains a property binder vulnerability caused by improper restriction of XML external entity references
Details

Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework.data:spring-data-commons"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.13.0"
            },
            {
              "fixed": "1.13.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework.data:spring-data-commons"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-1259"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:45:35Z",
    "nvd_published_at": "2018-05-11T20:29:00Z",
    "severity": "HIGH"
  },
  "details": "Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data\u0027s projection-based request payload binding to access arbitrary files on the system.",
  "id": "GHSA-m929-7fr6-cvjg",
  "modified": "2022-04-27T13:58:00Z",
  "published": "2018-10-17T17:23:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1259"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:1809"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:3768"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-m929-7fr6-cvjg"
    },
    {
      "type": "WEB",
      "url": "https://pivotal.io/security/cve-2018-1259"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Spring Data Commons, used in combination with XMLBeam, contains a property binder vulnerability caused by improper restriction of XML external entity references"
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.