Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1691 vulnerabilities reference this CWE, most recent first.

GHSA-PRGJ-F78P-GH4P

Vulnerability from github – Published: 2022-05-17 02:45 – Updated: 2022-05-17 02:45
VLAI
Details

IBM Team Concert (RTC) is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM X-Force ID: 120665.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-1103"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-05-10T14:29:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Team Concert (RTC) is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM X-Force ID: 120665.",
  "id": "GHSA-prgj-f78p-gh4p",
  "modified": "2022-05-17T02:45:41Z",
  "published": "2022-05-17T02:45:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1103"
    },
    {
      "type": "WEB",
      "url": "http://www.ibm.com/support/docview.wss?uid=swg22002429"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PV39-QP28-4MGH

Vulnerability from github – Published: 2022-03-26 00:00 – Updated: 2022-04-12 16:40
VLAI
Summary
Improper Restriction of XML External Entity Reference in soa-model
Details

Soa-model is a toolkit and Java API for WSDL, WADL and XML Schema. An XML External Entity (XXE) vulnerability exists in versions of soa-model prior to 1.6.4 in the WSDLParser function. This issue has been fixed in version 1.6.4.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.predic8:soa-model-parent"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.predic8:soa-model-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-43090"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-30T15:05:12Z",
    "nvd_published_at": "2022-03-25T16:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Soa-model is a toolkit and Java API for WSDL, WADL and XML Schema. An XML External Entity (XXE) vulnerability exists in versions of soa-model prior to 1.6.4 in the WSDLParser function. This issue has been fixed in version 1.6.4.",
  "id": "GHSA-pv39-qp28-4mgh",
  "modified": "2022-04-12T16:40:09Z",
  "published": "2022-03-26T00:00:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43090"
    },
    {
      "type": "WEB",
      "url": "https://github.com/membrane/soa-model/issues/281"
    },
    {
      "type": "WEB",
      "url": "https://github.com/membrane/soa-model/commit/19de16902468e7963cc4dc6b544574bc1ea3f251"
    },
    {
      "type": "WEB",
      "url": "https://github.com/membrane/soa-model/commit/3aa295f155f621d5ea661cb9a0604013fc8fd8ff"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/membrane/soa-model"
    },
    {
      "type": "WEB",
      "url": "https://github.com/membrane/soa-model/releases/tag/v1.6.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Restriction of XML External Entity Reference in soa-model"
}

GHSA-PVF4-HR84-4G6R

Vulnerability from github – Published: 2023-03-22 00:30 – Updated: 2023-03-24 06:30
VLAI
Details

Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-46300"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-21T23:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.",
  "id": "GHSA-pvf4-hr84-4g6r",
  "modified": "2023-03-24T06:30:16Z",
  "published": "2023-03-22T00:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46300"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-05"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PVXF-5HXJ-54CH

Vulnerability from github – Published: 2022-05-17 02:12 – Updated: 2022-05-17 02:12
VLAI
Details

XML External Entity (XXE) vulnerability in Apache Wink 1.1.1 and earlier allows remote attackers to read arbitrary files or cause a denial of service via a crafted XML document.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2010-2245"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-08-08T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "XML External Entity (XXE) vulnerability in Apache Wink 1.1.1 and earlier allows remote attackers to read arbitrary files or cause a denial of service via a crafted XML document.",
  "id": "GHSA-pvxf-5hxj-54ch",
  "modified": "2022-05-17T02:12:13Z",
  "published": "2022-05-17T02:12:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-2245"
    },
    {
      "type": "WEB",
      "url": "https://svn.apache.org/repos/asf/wink/trunk/security/CVE-2010-2245.pdf"
    },
    {
      "type": "WEB",
      "url": "http://marc.info/?l=wink-user\u0026m=127843482925387\u0026w=2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PW7G-J3C6-JJPP

Vulnerability from github – Published: 2025-02-19 18:32 – Updated: 2025-02-19 18:32
VLAI
Details

IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0

is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-47160"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-19T17:15:13Z",
    "severity": "HIGH"
  },
  "details": "IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 \n\n\n\n\n\nis vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.",
  "id": "GHSA-pw7g-j3c6-jjpp",
  "modified": "2025-02-19T18:32:23Z",
  "published": "2025-02-19T18:32:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47160"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7183597"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PW95-88FG-3J6F

Vulnerability from github – Published: 2025-05-05 20:40 – Updated: 2025-05-05 22:07
VLAI
Summary
Langroid Allows XXE Injection via XMLToolMessage
Details

Summary

A LLM application leveraging XMLToolMessage class may be exposed to untrusted XML input that could result in DoS and/or exposing local files with sensitive information.

Details

XMLToolMessage uses lxml without safeguards: https://github.com/langroid/langroid/blob/df6227e6c079ec22bb2768498423148d6685acff/langroid/agent/xml_tool_message.py#L51-L52 lxml is vulnerable to quadratic blowup attacks and processes external entity declarations for local files by default. Check here: https://pypi.org/project/defusedxml/#python-xml-libraries

PoC

A typical Quadratic blowup XML payload looks like this:

<!DOCTYPE bomb [
<!ENTITY a "aaaaaaaaaa">
<!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;">
<!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">
]>
<bomb>&c;</bomb>

Here, &a; expands to 10 characters, &b; expands to 100, and &c; expands to 1000, causing exponential memory usage and potentially crashing the application.

Fix

Langroid 0.53.4 initializes XMLParser with flags to prevent XML External Entity (XXE), billion laughs, and external DTD attacks by disabling entity resolution, DTD loading, and network access. https://github.com/langroid/langroid/commit/36e7e7db4dd1636de225c2c66c84052b1e9ac3c3

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "langroid"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.53.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-46726"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-05T20:40:44Z",
    "nvd_published_at": "2025-05-05T20:15:21Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nA LLM application leveraging `XMLToolMessage` class may be exposed to untrusted XML input that could result in DoS and/or exposing local files with sensitive information.\n\n### Details\n`XMLToolMessage` uses `lxml` without safeguards:\nhttps://github.com/langroid/langroid/blob/df6227e6c079ec22bb2768498423148d6685acff/langroid/agent/xml_tool_message.py#L51-L52\n`lxml` is vulnerable to quadratic blowup attacks and processes external entity declarations for local files by default. \nCheck here: https://pypi.org/project/defusedxml/#python-xml-libraries\n\n### PoC\nA typical Quadratic blowup XML payload looks like this:\n```xml\n\u003c!DOCTYPE bomb [\n\u003c!ENTITY a \"aaaaaaaaaa\"\u003e\n\u003c!ENTITY b \"\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\"\u003e\n\u003c!ENTITY c \"\u0026b;\u0026b;\u0026b;\u0026b;\u0026b;\u0026b;\u0026b;\u0026b;\u0026b;\u0026b;\"\u003e\n]\u003e\n\u003cbomb\u003e\u0026c;\u003c/bomb\u003e\n```\nHere, \u0026a; expands to 10 characters, \u0026b; expands to 100, and \u0026c; expands to 1000, causing exponential memory usage and potentially crashing the application.\n \n### Fix\nLangroid 0.53.4 initializes `XMLParser` with flags to prevent XML External Entity (XXE), billion laughs, and external DTD attacks by disabling entity resolution, DTD loading, and network access.\nhttps://github.com/langroid/langroid/commit/36e7e7db4dd1636de225c2c66c84052b1e9ac3c3",
  "id": "GHSA-pw95-88fg-3j6f",
  "modified": "2025-05-05T22:07:30Z",
  "published": "2025-05-05T20:40:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/langroid/langroid/security/advisories/GHSA-pw95-88fg-3j6f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46726"
    },
    {
      "type": "WEB",
      "url": "https://github.com/langroid/langroid/commit/36e7e7db4dd1636de225c2c66c84052b1e9ac3c3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/langroid/langroid"
    },
    {
      "type": "WEB",
      "url": "https://github.com/langroid/langroid/blob/df6227e6c079ec22bb2768498423148d6685acff/langroid/agent/xml_tool_message.py#L51-L52"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Langroid Allows XXE Injection via XMLToolMessage"
}

GHSA-PWM3-776C-8Q7Q

Vulnerability from github – Published: 2025-05-14 21:31 – Updated: 2025-05-15 17:28
VLAI
Summary
BoniGarcia WebDriverManager Affected By Improper Restriction of XML External Entity Reference
Details

Improper Restriction of XML External Entity Reference vulnerability in bonigarcia webdrivermanager on Windows, MacOS, Linux (XML parsing components modules) allows Data Serialization External Entities Blowup. This vulnerability is associated with program files src/main/java/io/github/bonigarcia/wdm/WebDriverManager.java.

This issue affects webdrivermanager: from 1.0.0 before 6.1.0.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.github.bonigarcia:webdrivermanager"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "6.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-4641"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-15T17:27:58Z",
    "nvd_published_at": "2025-05-14T19:15:53Z",
    "severity": "CRITICAL"
  },
  "details": "Improper Restriction of XML External Entity Reference vulnerability in bonigarcia webdrivermanager on Windows, MacOS, Linux (XML parsing components modules) allows Data Serialization External Entities Blowup. This vulnerability is associated with program files src/main/java/io/github/bonigarcia/wdm/WebDriverManager.java.\n\nThis issue affects webdrivermanager: from 1.0.0 before 6.1.0.",
  "id": "GHSA-pwm3-776c-8q7q",
  "modified": "2025-05-15T17:28:16Z",
  "published": "2025-05-14T21:31:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4641"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bonigarcia/webdrivermanager/pull/1458"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/bonigarcia/webdrivermanager"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:H/SC:H/SI:L/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "BoniGarcia WebDriverManager Affected By Improper Restriction of XML External Entity Reference"
}

GHSA-PXHP-JR2P-7HW7

Vulnerability from github – Published: 2023-01-15 09:30 – Updated: 2025-04-08 21:31
VLAI
Details

BlueCat Device Registration Portal 2.2 allows XXE attacks that exfiltrate single-line files. A single-line file might contain credentials, such as "machine example.com login daniel password qwerty" in the documentation example for the .netrc file format. NOTE; 2.x versions are no longer supported. There is no available information about whether any later version is affected.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-23595"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-15T07:15:00Z",
    "severity": "HIGH"
  },
  "details": "BlueCat Device Registration Portal 2.2 allows XXE attacks that exfiltrate single-line files. A single-line file might contain credentials, such as \"machine example.com login daniel password qwerty\" in the documentation example for the .netrc file format. NOTE; 2.x versions are no longer supported. There is no available information about whether any later version is affected.",
  "id": "GHSA-pxhp-jr2p-7hw7",
  "modified": "2025-04-08T21:31:28Z",
  "published": "2023-01-15T09:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23595"
    },
    {
      "type": "WEB",
      "url": "https://bluecatnetworks.com/integrations/adaptive-application/device-registration-portal-drp"
    },
    {
      "type": "WEB",
      "url": "https://everything.curl.dev/usingcurl/netrc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/colemanjp/XXE-Vulnerability-in-Bluecat-Device-Registration-Portal-DRP"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PXM4-R5PH-Q2M2

Vulnerability from github – Published: 2024-12-02 17:25 – Updated: 2024-12-13 20:39
VLAI
Summary
SimpleSAMLphp SAML2 has an XXE in parsing SAML messages
Details

Summary

When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE.

$options is defined as: https://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L41 including the DTDLoad option, which allows an attacker to read file contents from local file system OR internal network.

While there is the NONET option, an attacker can simply bypass if by using PHP filters: php://filter/convert.base64-encode/resource=http://URL OR FILE

From there an attacker can induce network connections and steal the targeted file OOB (haven't fully tested this).

RCE may be possible with the php://expect or php://phar wrappers, but this hasn't been tested.

Note: The mitigation here: https://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L63-L69 Comes too late, as the XML has already been loaded into a document. Mitigation:

Remove the LIBXML_DTDLOAD | LIBXML_DTDATTR options. Additionally, as a defense in depth measure, check if there is the string: <!DOCTYPE inside the XML before parsing it. (This is not a complete fix because someone may be able to exploit some parser differentials, to load a DOCTYPE, maybe through spacing like: <! DOCTYPE)

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "simplesamlphp/saml2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.6.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "simplesamlphp/saml2-legacy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.6.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-52806"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-02T17:25:43Z",
    "nvd_published_at": "2024-12-02T17:15:12Z",
    "severity": "MODERATE"
  },
  "details": "Summary\n\nWhen loading an (untrusted) XML document, for example the SAMLResponse, it\u0027s possible to induce an XXE.\n\n$options is defined as: https://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L41\nincluding the DTDLoad option, which allows an attacker to read file contents from local file system OR internal network.\n\nWhile there is the NONET option, an attacker can simply bypass if by using PHP filters:\nphp://filter/convert.base64-encode/resource=http://URL OR FILE\n\nFrom there an attacker can induce network connections and steal the targeted file OOB (haven\u0027t fully tested this).\n\nRCE may be possible with the php://expect or php://phar wrappers, but this hasn\u0027t been tested.\n\nNote:\nThe mitigation here:\nhttps://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L63-L69\nComes too late, as the XML has already been loaded into a document.\nMitigation:\n\nRemove the LIBXML_DTDLOAD | LIBXML_DTDATTR options.\nAdditionally, as a defense in depth measure, check if there is the string: \u003c!DOCTYPE inside the XML before parsing it. (This is not a complete fix because someone may be able to exploit some parser differentials, to load a DOCTYPE, maybe through spacing like: \u003c! DOCTYPE)",
  "id": "GHSA-pxm4-r5ph-q2m2",
  "modified": "2024-12-13T20:39:57Z",
  "published": "2024-12-02T17:25:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/simplesamlphp/saml2/security/advisories/GHSA-pxm4-r5ph-q2m2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52806"
    },
    {
      "type": "WEB",
      "url": "https://github.com/simplesamlphp/saml2/commit/5fd4ce4596656fb0c1278f15b8305825412e89f7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/simplesamlphp/saml2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "SimpleSAMLphp SAML2 has an XXE in parsing SAML messages"
}

GHSA-Q25X-FW47-2XVM

Vulnerability from github – Published: 2022-05-13 01:32 – Updated: 2022-05-13 01:32
VLAI
Details

IBM FileNet Content Manager 5.2.1 and 5.5.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 150904.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-1844"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-10-12T11:29:00Z",
    "severity": "HIGH"
  },
  "details": "IBM FileNet Content Manager 5.2.1 and 5.5.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 150904.",
  "id": "GHSA-q25x-fw47-2xvm",
  "modified": "2022-05-13T01:32:34Z",
  "published": "2022-05-13T01:32:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1844"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/150904"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/docview.wss?uid=ibm10732755"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.