CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1691 vulnerabilities reference this CWE, most recent first.
GHSA-PJCH-4G28-FXX7
Vulnerability from github – Published: 2022-05-07 00:00 – Updated: 2022-05-24 20:58The package com.twelvemonkeys.imageio:imageio-metadata before version 3.7.1 is vulnerable to XML External Entity (XXE) Injection due to an insecurely initialized XML parser for reading XMP Metadata. An attacker can exploit this vulnerability if they are able to supply a file (e.g. when an online profile picture is processed) with a malicious XMP segment. If the XMP metadata of the uploaded image is parsed, then the XXE vulnerability is triggered.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.twelvemonkeys.imageio:imageio-metadata"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.7.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-23792"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-05-24T20:58:43Z",
"nvd_published_at": "2022-05-06T20:15:00Z",
"severity": "CRITICAL"
},
"details": "The package com.twelvemonkeys.imageio:imageio-metadata before version 3.7.1 is vulnerable to XML External Entity (XXE) Injection due to an insecurely initialized XML parser for reading XMP Metadata. An attacker can exploit this vulnerability if they are able to supply a file (e.g. when an online profile picture is processed) with a malicious XMP segment. If the XMP metadata of the uploaded image is parsed, then the XXE vulnerability is triggered.",
"id": "GHSA-pjch-4g28-fxx7",
"modified": "2022-05-24T20:58:43Z",
"published": "2022-05-07T00:00:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23792"
},
{
"type": "WEB",
"url": "https://github.com/haraldk/TwelveMonkeys/commit/da4efe98bf09e1cce91b7633cb251958a200fc80"
},
{
"type": "PACKAGE",
"url": "https://github.com/haraldk/TwelveMonkeys"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-COMTWELVEMONKEYSIMAGEIO-2316763"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "External Entity Reference in TwelveMonkeys ImageIO"
}
GHSA-PJMC-XJQ4-H7JM
Vulnerability from github – Published: 2022-05-17 02:47 – Updated: 2022-05-17 02:47WatchGuard Fireware v11.12.1 and earlier mishandles requests referring to an XML External Entity (XXE), in the XML-RPC agent. This causes the Firebox wgagent process to crash. This process crash ends all authenticated sessions to the Firebox, including management connections, and prevents new authenticated sessions until the process has recovered. The Firebox may also experience an overall degradation in performance while the wgagent process recovers. An attacker could continuously send XML-RPC requests that contain references to external entities to perform a limited Denial of Service (DoS) attack against an affected Firebox.
{
"affected": [],
"aliases": [
"CVE-2017-8056"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-04-22T22:59:00Z",
"severity": "MODERATE"
},
"details": "WatchGuard Fireware v11.12.1 and earlier mishandles requests referring to an XML External Entity (XXE), in the XML-RPC agent. This causes the Firebox wgagent process to crash. This process crash ends all authenticated sessions to the Firebox, including management connections, and prevents new authenticated sessions until the process has recovered. The Firebox may also experience an overall degradation in performance while the wgagent process recovers. An attacker could continuously send XML-RPC requests that contain references to external entities to perform a limited Denial of Service (DoS) attack against an affected Firebox.",
"id": "GHSA-pjmc-xjq4-h7jm",
"modified": "2022-05-17T02:47:51Z",
"published": "2022-05-17T02:47:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8056"
},
{
"type": "WEB",
"url": "https://packetstormsecurity.com/files/142177/watchguardfbxtm-xxeinject.txt"
},
{
"type": "WEB",
"url": "https://www.sidertia.com/Home/Community/Blog/2017/04/17/Fixed-the-Fireware-Vulnerabilities-discovered-by-Sidertia"
},
{
"type": "WEB",
"url": "https://www.watchguard.com/support/release-notes/fireware/11/en-US/EN_ReleaseNotes_Fireware_11_12_2/index.html"
},
{
"type": "WEB",
"url": "http://watchguardsupport.force.com/publicKB?type=KBSecurityIssues\u0026SFDCID=kA62A0000000KlBSAU"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-PJP4-RRP6-VQR7
Vulnerability from github – Published: 2022-05-17 03:35 – Updated: 2022-05-17 03:35IBM AppScan Source 8.7 through 9.0.3.3 allows remote authenticated users to read arbitrary files or cause a denial of service (memory consumption) via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
{
"affected": [],
"aliases": [
"CVE-2016-3033"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-12-01T11:59:00Z",
"severity": "HIGH"
},
"details": "IBM AppScan Source 8.7 through 9.0.3.3 allows remote authenticated users to read arbitrary files or cause a denial of service (memory consumption) via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.",
"id": "GHSA-pjp4-rrp6-vqr7",
"modified": "2022-05-17T03:35:31Z",
"published": "2022-05-17T03:35:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-3033"
},
{
"type": "WEB",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21987326"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/92388"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PMQQ-7WFV-JFFF
Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2023-09-26 11:39The XLSX2CSV example in Apache POI before 3.14 allows remote attackers to read arbitrary files via a crafted OpenXML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.13"
},
"package": {
"ecosystem": "Maven",
"name": "org.apache.poi:poi-examples"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.14"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2016-5000"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-06T19:53:05Z",
"nvd_published_at": "2016-08-05T14:59:00Z",
"severity": "MODERATE"
},
"details": "The XLSX2CSV example in Apache POI before 3.14 allows remote attackers to read arbitrary files via a crafted OpenXML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.",
"id": "GHSA-pmqq-7wfv-jfff",
"modified": "2023-09-26T11:39:10Z",
"published": "2022-05-13T01:14:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5000"
},
{
"type": "WEB",
"url": "https://lists.apache.org/list.html?user@poi.apache.org"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"type": "WEB",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21996759"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache POI\u0027s XLSX2CSV Example XML External Entity (XXE) Vulnerability"
}
GHSA-PP2F-3WRG-GX2G
Vulnerability from github – Published: 2022-05-14 03:47 – Updated: 2022-05-14 03:47IBM Sterling B2B Integrator 5.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. IBM X-Force ID: 123663.
{
"affected": [],
"aliases": [
"CVE-2017-1192"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-08-10T15:29:00Z",
"severity": "HIGH"
},
"details": "IBM Sterling B2B Integrator 5.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. IBM X-Force ID: 123663.",
"id": "GHSA-pp2f-3wrg-gx2g",
"modified": "2022-05-14T03:47:11Z",
"published": "2022-05-14T03:47:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1192"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/123663"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=swg22004267"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/102864"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-PP98-436H-9QGG
Vulnerability from github – Published: 2023-04-26 21:30 – Updated: 2024-04-04 03:42HCL Workload Automation 9.4, 9.5, and 10.1 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
{
"affected": [],
"aliases": [
"CVE-2023-28008"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-26T20:15:10Z",
"severity": "HIGH"
},
"details": "HCL Workload Automation 9.4, 9.5, and 10.1 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.\n",
"id": "GHSA-pp98-436h-9qgg",
"modified": "2024-04-04T03:42:17Z",
"published": "2023-04-26T21:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28008"
},
{
"type": "WEB",
"url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0104371"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-PPV9-V43C-XQPP
Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2023-10-27 16:08Jenkins pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
As of publication of this advisory, there is no fix.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:pom2config"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-43576"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-15T16:42:36Z",
"nvd_published_at": "2021-11-12T11:15:00Z",
"severity": "MODERATE"
},
"details": "Jenkins pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.\n\nThis allows attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.\n\nAs of publication of this advisory, there is no fix.",
"id": "GHSA-ppv9-v43c-xqpp",
"modified": "2023-10-27T16:08:37Z",
"published": "2022-05-24T19:20:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43576"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/pom2config-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2021-11-12/#SECURITY-2415"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-1314"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/11/12/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "XXE vulnerability in Jenkins pom2config Plugin"
}
GHSA-PQG2-Q88Q-5H4P
Vulnerability from github – Published: 2022-04-30 00:02 – Updated: 2025-10-22 00:31BC-BMT-BPM-DSK in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via the sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn URI, aka SAP Security Note 2296909.
{
"affected": [],
"aliases": [
"CVE-2016-9563"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-11-23T02:59:00Z",
"severity": "MODERATE"
},
"details": "BC-BMT-BPM-DSK in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via the sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn URI, aka SAP Security Note 2296909.",
"id": "GHSA-pqg2-q88q-5h4p",
"modified": "2025-10-22T00:31:17Z",
"published": "2022-04-30T00:02:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9563"
},
{
"type": "WEB",
"url": "https://erpscan.io/advisories/erpscan-16-034-sap-netweaver-java-xxe-vulnerability-bc-bmt-bpm-dsk-component"
},
{
"type": "WEB",
"url": "https://launchpad.support.sap.com/#/notes/2296909"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-9563"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/92419"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PR38-7Q66-HQQH
Vulnerability from github – Published: 2023-02-09 21:30 – Updated: 2025-03-24 21:30Mojoportal v2.7 was discovered to contain an authenticated XML external entity (XXE) injection vulnerability.
{
"affected": [],
"aliases": [
"CVE-2023-24323"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-09T20:15:00Z",
"severity": "HIGH"
},
"details": "Mojoportal v2.7 was discovered to contain an authenticated XML external entity (XXE) injection vulnerability.",
"id": "GHSA-pr38-7q66-hqqh",
"modified": "2025-03-24T21:30:27Z",
"published": "2023-02-09T21:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24323"
},
{
"type": "WEB",
"url": "https://github.com/blakduk/Advisories/blob/main/Mojoportal/README.md"
},
{
"type": "WEB",
"url": "https://github.com/i7MEDIA/mojoportal"
},
{
"type": "WEB",
"url": "https://www.mojoportal.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PR9H-G7P7-RRQH
Vulnerability from github – Published: 2022-05-14 03:46 – Updated: 2022-11-03 19:13Jenkins FindBugs Plugin 4.71 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jvnet.hudson.plugins.findbugs:library"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "4.7.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-1000011"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-03T19:13:08Z",
"nvd_published_at": "2018-01-23T14:29:00Z",
"severity": "HIGH"
},
"details": "Jenkins FindBugs Plugin 4.71 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.",
"id": "GHSA-pr9h-g7p7-rrqh",
"modified": "2022-11-03T19:13:08Z",
"published": "2022-05-14T03:46:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000011"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2018-01-22"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "XML External Entity Reference in Jenkins FindBugs Plugin"
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.