CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1691 vulnerabilities reference this CWE, most recent first.
GHSA-P6C5-737R-2R93
Vulnerability from github – Published: 2022-05-24 17:27 – Updated: 2022-12-20 22:39Klocwork Analysis Plugin 2020.2.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows a user able to control the input files for the Klocwork plugin parser to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2020.2.1"
},
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:klocwork"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2020.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-2247"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-20T22:39:05Z",
"nvd_published_at": "2020-09-01T14:15:00Z",
"severity": "HIGH"
},
"details": "Klocwork Analysis Plugin 2020.2.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.\n\nThis allows a user able to control the input files for the Klocwork plugin parser to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.",
"id": "GHSA-p6c5-737r-2r93",
"modified": "2022-12-20T22:39:05Z",
"published": "2022-05-24T17:27:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2247"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/klocwork-plugin"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2020-09-01/#SECURITY-1831"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/09/01/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "XXE vulnerability in Jenkins Klocwork Analysis Plugin"
}
GHSA-P72F-5P6W-9JJP
Vulnerability from github – Published: 2022-05-13 01:10 – Updated: 2022-05-13 01:10SAML 2.0 functionality in SAP NetWeaver AS Java, does not sufficiently validate XML documents received from an untrusted source. This is fixed in versions 7.2, 7.30, 7.31, 7.40 and 7.50.
{
"affected": [],
"aliases": [
"CVE-2018-2492"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-11T22:29:00Z",
"severity": "HIGH"
},
"details": "SAML 2.0 functionality in SAP NetWeaver AS Java, does not sufficiently validate XML documents received from an untrusted source. This is fixed in versions 7.2, 7.30, 7.31, 7.40 and 7.50.",
"id": "GHSA-p72f-5p6w-9jjp",
"modified": "2022-05-13T01:10:44Z",
"published": "2022-05-13T01:10:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-2492"
},
{
"type": "WEB",
"url": "https://launchpad.support.sap.com/#/notes/2642680"
},
{
"type": "WEB",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=508559699"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/106153"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P72G-PV48-7W9X
Vulnerability from github – Published: 2025-08-20 21:30 – Updated: 2025-11-05 20:40Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger malicious requests to internal resources or third-party servers. Note that the tika-parser-pdf-module is used as a dependency in several Tika packages including at least: tika-parsers-standard-modules, tika-parsers-standard-package, tika-app, tika-grpc and tika-server-standard.
Users are recommended to upgrade to version 3.2.2, which fixes this issue.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tika:tika-parser-pdf-module"
},
"ranges": [
{
"events": [
{
"introduced": "1.13"
},
{
"fixed": "3.2.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tika:tika-parsers"
},
"ranges": [
{
"events": [
{
"introduced": "1.13"
},
{
"fixed": "2.0.0-ALPHA"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-54988"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-21T14:36:27Z",
"nvd_published_at": "2025-08-20T20:15:33Z",
"severity": "CRITICAL"
},
"details": "Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger malicious requests to internal resources or third-party servers. Note that the tika-parser-pdf-module is used as a dependency in several Tika packages including at least: tika-parsers-standard-modules, tika-parsers-standard-package, tika-app, tika-grpc and tika-server-standard.\n\nUsers are recommended to upgrade to version 3.2.2, which fixes this issue.",
"id": "GHSA-p72g-pv48-7w9x",
"modified": "2025-11-05T20:40:56Z",
"published": "2025-08-20T21:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54988"
},
{
"type": "WEB",
"url": "https://github.com/apache/tika/pull/2291"
},
{
"type": "WEB",
"url": "https://github.com/apache/tika/commit/2b52257304f4d3cde2b8463657380bdb936d9ef2"
},
{
"type": "WEB",
"url": "https://archive.apache.org/dist/tika/3.2.2/CHANGES-3.2.2.txt"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/tika"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/TIKA-4459"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/8xn3rqy6kz5b3l1t83kcofkw0w4mmj1w"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/stn9oh7rfn9yv76n1srxr9w56oy04p72"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00030.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/08/20/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/08/20/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Apache Tika XXE Vulnerability via Crafted XFA File Inside a PDF"
}
GHSA-P7JF-PRFR-4V7Q
Vulnerability from github – Published: 2022-05-13 01:02 – Updated: 2022-05-13 01:02An exploitable unauthenticated XML external injection vulnerability was identified in FocalScope v2416. A unauthenticated attacker could submit a specially crafted web request to FocalScope's server that could cause an XXE, and potentially result in data compromise.
{
"affected": [],
"aliases": [
"CVE-2018-3881"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-08-01T20:29:00Z",
"severity": "CRITICAL"
},
"details": "An exploitable unauthenticated XML external injection vulnerability was identified in FocalScope v2416. A unauthenticated attacker could submit a specially crafted web request to FocalScope\u0027s server that could cause an XXE, and potentially result in data compromise.",
"id": "GHSA-p7jf-prfr-4v7q",
"modified": "2022-05-13T01:02:02Z",
"published": "2022-05-13T01:02:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3881"
},
{
"type": "WEB",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0559"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P8CC-4954-R7HW
Vulnerability from github – Published: 2022-05-17 00:19 – Updated: 2025-04-20 03:44XXE in Diving Log 6.0 allows attackers to remotely view local files through a crafted dive.xml file that is mishandled during a Subsurface import.
{
"affected": [],
"aliases": [
"CVE-2017-9095"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-09-08T10:29:00Z",
"severity": "MODERATE"
},
"details": "XXE in Diving Log 6.0 allows attackers to remotely view local files through a crafted dive.xml file that is mishandled during a Subsurface import.",
"id": "GHSA-p8cc-4954-r7hw",
"modified": "2025-04-20T03:44:29Z",
"published": "2022-05-17T00:19:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9095"
},
{
"type": "WEB",
"url": "https://thenopsled.com/divinglog.txt"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/43187"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P8MG-76FJ-RC53
Vulnerability from github – Published: 2023-02-03 00:30 – Updated: 2023-02-09 03:30IBM Tivoli Workload Scheduler 9.4, 9.5, and 10.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 226328.
{
"affected": [],
"aliases": [
"CVE-2022-22486"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-03T00:15:00Z",
"severity": "CRITICAL"
},
"details": "IBM Tivoli Workload Scheduler 9.4, 9.5, and 10.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 226328.",
"id": "GHSA-p8mg-76fj-rc53",
"modified": "2023-02-09T03:30:18Z",
"published": "2023-02-03T00:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22486"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/226328"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6890697"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P99P-726H-C8V5
Vulnerability from github – Published: 2018-10-19 16:42 – Updated: 2022-09-14 19:12In Apache jUDDI 3.2 through 3.3.4, if using the WADL2Java or WSDL2Java classes, which parse a local or remote XML document and then mediates the data structures into UDDI data structures, there are little protections present against entity expansion and DTD type of attacks. Mitigation is to use 3.3.5.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.juddi:juddi-client"
},
"ranges": [
{
"events": [
{
"introduced": "3.2"
},
{
"fixed": "3.3.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-1307"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:48:42Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "In Apache jUDDI 3.2 through 3.3.4, if using the WADL2Java or WSDL2Java classes, which parse a local or remote XML document and then mediates the data structures into UDDI data structures, there are little protections present against entity expansion and DTD type of attacks. Mitigation is to use 3.3.5.",
"id": "GHSA-p99p-726h-c8v5",
"modified": "2022-09-14T19:12:48Z",
"published": "2018-10-19T16:42:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1307"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-p99p-726h-c8v5"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/JUDDI-987"
},
{
"type": "WEB",
"url": "http://juddi.apache.org/security.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Apache juddi-client vulnerable to XML External Entity (XXE)"
}
GHSA-P9J3-8MPG-P3PF
Vulnerability from github – Published: 2022-04-01 00:00 – Updated: 2022-04-07 00:00The "Register an Ehcache Configuration File" admin feature in MashZone NextGen through 10.7 GA allows XXE attacks via a malicious XML configuration file.
{
"affected": [],
"aliases": [
"CVE-2021-33208"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-30T22:15:00Z",
"severity": "HIGH"
},
"details": "The \"Register an Ehcache Configuration File\" admin feature in MashZone NextGen through 10.7 GA allows XXE attacks via a malicious XML configuration file.",
"id": "GHSA-p9j3-8mpg-p3pf",
"modified": "2022-04-07T00:00:29Z",
"published": "2022-04-01T00:00:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33208"
},
{
"type": "WEB",
"url": "https://github.com/blackarrowsec/advisories/tree/master/2021/CVE-2021-33208"
},
{
"type": "WEB",
"url": "https://www.softwareag.com/corporate/products/az/mashzone_nextgen/default"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P9WF-3XPG-C9G5
Vulnerability from github – Published: 2021-09-02 17:11 – Updated: 2024-10-24 21:53An XML external entity (XXE) injection in PyWPS before 4.5.0 allows an attacker to view files on the application server filesystem by assigning a path to the entity. OWSLib 0.24.1 may also be affected.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pywps"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-39371"
],
"database_specific": {
"cwe_ids": [
"CWE-611",
"CWE-91"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-25T19:48:42Z",
"nvd_published_at": "2021-08-23T01:15:00Z",
"severity": "HIGH"
},
"details": "An XML external entity (XXE) injection in PyWPS before 4.5.0 allows an attacker to view files on the application server filesystem by assigning a path to the entity. OWSLib 0.24.1 may also be affected.",
"id": "GHSA-p9wf-3xpg-c9g5",
"modified": "2024-10-24T21:53:22Z",
"published": "2021-09-02T17:11:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39371"
},
{
"type": "WEB",
"url": "https://github.com/geopython/OWSLib/issues/790"
},
{
"type": "WEB",
"url": "https://github.com/geopython/pywps/pull/616"
},
{
"type": "WEB",
"url": "https://github.com/geopython/pywps/commit/7d6b26a2e931df2feca0b7fb24f4d01610825aee"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-p9wf-3xpg-c9g5"
},
{
"type": "PACKAGE",
"url": "https://github.com/geopython/pywps"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/pywps/PYSEC-2021-121.yaml"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/09/msg00001.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "XML External Entity Injection in PyWPS"
}
GHSA-PC2G-2G3X-J4C9
Vulnerability from github – Published: 2022-03-24 00:00 – Updated: 2022-03-30 00:01A XML Extended entity vulnerability in McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 allows a remote administrator attacker to upload a malicious XML file through the extension import functionality. The impact is limited to some access to confidential information and some ability to alter data.
{
"affected": [],
"aliases": [
"CVE-2022-0861"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-23T15:15:00Z",
"severity": "MODERATE"
},
"details": "A XML Extended entity vulnerability in McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 allows a remote administrator attacker to upload a malicious XML file through the extension import functionality. The impact is limited to some access to confidential information and some ability to alter data.",
"id": "GHSA-pc2g-2g3x-j4c9",
"modified": "2022-03-30T00:01:10Z",
"published": "2022-03-24T00:00:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0861"
},
{
"type": "WEB",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10379"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.