CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1691 vulnerabilities reference this CWE, most recent first.
GHSA-Q27H-QQPJ-X283
Vulnerability from github – Published: 2025-01-14 03:31 – Updated: 2025-01-14 03:31We found a vulnerability Improper Restriction of XML External Entity Reference (CWE-611) in NB-series NX-Designer. Attackers may be able to abuse this vulnerability to disclose confidential data on a computer.
{
"affected": [],
"aliases": [
"CVE-2024-12298"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-14T01:15:09Z",
"severity": "MODERATE"
},
"details": "We found a vulnerability Improper Restriction of XML External Entity Reference (CWE-611) in NB-series NX-Designer. Attackers may be able to abuse this vulnerability to disclose confidential data on a computer.",
"id": "GHSA-q27h-qqpj-x283",
"modified": "2025-01-14T03:31:40Z",
"published": "2025-01-14T03:31:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12298"
},
{
"type": "WEB",
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/en/OMSR-2025-002_en.pdf"
},
{
"type": "WEB",
"url": "https://www.fa.omron.co.jp/product/security/assets/pdf/ja/OMSR-2025-002_ja.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q2JQ-J2Q9-J85C
Vulnerability from github – Published: 2023-06-01 18:30 – Updated: 2024-04-04 04:27On Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, an unauthenticated attacker can send specially-crafted messages to the XML parser within SAML authentication to cause a denial of service in the Splunk daemon.
{
"affected": [],
"aliases": [
"CVE-2023-32706"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-01T17:15:10Z",
"severity": "MODERATE"
},
"details": "On Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, an unauthenticated attacker can send specially-crafted messages to the XML parser within SAML authentication to cause a denial of service in the Splunk daemon.",
"id": "GHSA-q2jq-j2q9-j85c",
"modified": "2024-04-04T04:27:52Z",
"published": "2023-06-01T18:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32706"
},
{
"type": "WEB",
"url": "https://advisory.splunk.com/advisories/SVD-2023-0601"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q2V2-62R4-P3M4
Vulnerability from github – Published: 2022-05-13 01:32 – Updated: 2022-05-13 01:32IBM Marketing Platform 9.1.0, 9.1.2 and 10.1 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 152855.
{
"affected": [],
"aliases": [
"CVE-2018-1920"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-07T16:29:00Z",
"severity": "HIGH"
},
"details": "IBM Marketing Platform 9.1.0, 9.1.2 and 10.1 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 152855.",
"id": "GHSA-q2v2-62r4-p3m4",
"modified": "2022-05-13T01:32:29Z",
"published": "2022-05-13T01:32:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1920"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/152855"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=ibm10744217"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/106201"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-Q386-W6FG-GMGP
Vulnerability from github – Published: 2023-07-28 15:35 – Updated: 2023-07-28 15:35TL;DR
This vulnerability only affects Kirby sites that use the Xml data handler (e.g. Data::decode($string, 'xml')) or the Xml::parse() method in site or plugin code. The Kirby core does not use any of the affected methods.
If you use an affected method and cannot rule out XML input controlled by an attacker, we strongly recommend to update to a patch release.
Introduction
XML External Entities (XXE) is a little used feature in the XML markup language that allows to include data from external files in an XML structure. If the name of the external file can be controlled by an attacker, this becomes a vulnerability that can be abused for various system impacts like the disclosure of internal or confidential data that is stored on the server (arbitrary file disclosure) or to perform network requests on behalf of the server (server-side request forgery, SSRF).
Impact
Kirby's Xml::parse() method used PHP's LIBXML_NOENT constant, which enabled the processing of XML external entities during the parsing operation.
The Xml::parse() method is used in the Xml data handler (e.g. Data::decode($string, 'xml')).
Both the vulnerable method and the data handler are not used in the Kirby core. However they may be used in site or plugin code, e.g. to parse RSS feeds or other XML files. If those files are of an external origin (e.g. uploaded by a user or retrieved from an external URL), attackers may be able to include an external entity in the XML file that will then be processed in the parsing process.
Kirby sites that don't use XML parsing in site or plugin code are not affected.
Patches
The problem has been patched in Kirby 3.5.8.3, Kirby 3.6.6.3, Kirby 3.7.5.2, Kirby 3.8.4.1 and Kirby 3.9.6. Please update to one of these or a later version to fix the vulnerability.
In all of the mentioned releases, we have removed the LIBXML_NOENT constant as processing of external entities is out of scope of the parsing logic. This protects all uses of the method against the described vulnerability.
Credits
Thanks to Alexandre Zanni (@noraj) at ACCEIS and Patrick Falb (@dapatrese) at FORMER 03 for responsibly reporting the identified issue.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "getkirby/cms"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.5.8.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "getkirby/cms"
},
"ranges": [
{
"events": [
{
"introduced": "3.6.0"
},
{
"fixed": "3.6.6.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "getkirby/cms"
},
"ranges": [
{
"events": [
{
"introduced": "3.7.0"
},
{
"fixed": "3.7.5.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "getkirby/cms"
},
"ranges": [
{
"events": [
{
"introduced": "3.8.0"
},
{
"fixed": "3.8.4.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "getkirby/cms"
},
"ranges": [
{
"events": [
{
"introduced": "3.9.0"
},
{
"fixed": "3.9.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-38490"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-28T15:35:04Z",
"nvd_published_at": "2023-07-27T15:15:12Z",
"severity": "MODERATE"
},
"details": "### TL;DR\n\nThis vulnerability only affects Kirby sites that use the `Xml` data handler (e.g. `Data::decode($string, \u0027xml\u0027)`) or the `Xml::parse()` method in site or plugin code. The Kirby core does not use any of the affected methods.\n\nIf you use an affected method and cannot rule out XML input controlled by an attacker, we strongly recommend to update to a patch release.\n\n----\n\n### Introduction\n\nXML External Entities (XXE) is a little used feature in the XML markup language that allows to include data from external files in an XML structure. If the name of the external file can be controlled by an attacker, this becomes a vulnerability that can be abused for various system impacts like the disclosure of internal or confidential data that is stored on the server (arbitrary file disclosure) or to perform network requests on behalf of the server (server-side request forgery, SSRF).\n\n### Impact\n\nKirby\u0027s `Xml::parse()` method used PHP\u0027s `LIBXML_NOENT` constant, which enabled the processing of XML external entities during the parsing operation.\n\nThe `Xml::parse()` method is used in the `Xml` data handler (e.g. `Data::decode($string, \u0027xml\u0027)`).\n\nBoth the vulnerable method and the data handler are not used in the Kirby core. However they may be used in site or plugin code, e.g. to parse RSS feeds or other XML files. If those files are of an external origin (e.g. uploaded by a user or retrieved from an external URL), attackers may be able to include an external entity in the XML file that will then be processed in the parsing process.\n\nKirby sites that don\u0027t use XML parsing in site or plugin code are *not* affected.\n\n### Patches\n\nThe problem has been patched in [Kirby 3.5.8.3](https://github.com/getkirby/kirby/releases/tag/3.5.8.3), [Kirby 3.6.6.3](https://github.com/getkirby/kirby/releases/tag/3.6.6.3), [Kirby 3.7.5.2](https://github.com/getkirby/kirby/releases/tag/3.7.5.2), [Kirby 3.8.4.1](https://github.com/getkirby/kirby/releases/tag/3.8.4.1) and [Kirby 3.9.6](https://github.com/getkirby/kirby/releases/tag/3.9.6). Please update to one of these or a [later version](https://github.com/getkirby/kirby/releases) to fix the vulnerability.\n\nIn all of the mentioned releases, we have removed the `LIBXML_NOENT` constant as processing of external entities is out of scope of the parsing logic. This protects all uses of the method against the described vulnerability.\n\n### Credits\n\nThanks to Alexandre Zanni (@noraj) at [ACCEIS](https://www.acceis.fr/) and Patrick Falb (@dapatrese) at [FORMER 03](https://former03.de/) for responsibly reporting the identified issue.",
"id": "GHSA-q386-w6fg-gmgp",
"modified": "2023-07-28T15:35:04Z",
"published": "2023-07-28T15:35:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/security/advisories/GHSA-q386-w6fg-gmgp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38490"
},
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/commit/277b05662d2b67386f0a0f18323cf68b30e86387"
},
{
"type": "PACKAGE",
"url": "https://github.com/getkirby/kirby"
},
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/releases/tag/3.5.8.3"
},
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/releases/tag/3.6.6.3"
},
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/releases/tag/3.7.5.2"
},
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/releases/tag/3.8.4.1"
},
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/releases/tag/3.9.6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "XML External Entity (XXE) vulnerability in the XML data handler"
}
GHSA-Q3W8-XP79-MQPH
Vulnerability from github – Published: 2022-05-14 01:43 – Updated: 2022-05-14 01:43The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
{
"affected": [],
"aliases": [
"CVE-2018-20157"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-15T00:29:00Z",
"severity": "HIGH"
},
"details": "The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.",
"id": "GHSA-q3w8-xp79-mqph",
"modified": "2022-05-14T01:43:19Z",
"published": "2022-05-14T01:43:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20157"
},
{
"type": "WEB",
"url": "https://github.com/OpenRefine/OpenRefine/issues/1907"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q423-XQRX-XQPF
Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2022-05-24 19:19Office Server Document Converter V7.2MR4 and earlier and V7.1MR7 and earlier allows a remote unauthenticated attacker to conduct an XML External Entity (XXE) attack to cause a denial of service (DoS) condition by processing a specially crafted XML document.
{
"affected": [],
"aliases": [
"CVE-2021-20838"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-01T02:15:00Z",
"severity": "HIGH"
},
"details": "Office Server Document Converter V7.2MR4 and earlier and V7.1MR7 and earlier allows a remote unauthenticated attacker to conduct an XML External Entity (XXE) attack to cause a denial of service (DoS) condition by processing a specially crafted XML document.",
"id": "GHSA-q423-xqrx-xqpf",
"modified": "2022-05-24T19:19:22Z",
"published": "2022-05-24T19:19:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20838"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN33453839/index.html"
},
{
"type": "WEB",
"url": "https://www.antenna.co.jp/news/2021/osdc72-20211027.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-Q425-6M5X-QP5P
Vulnerability from github – Published: 2022-05-02 03:27 – Updated: 2024-02-10 03:30The XSL stylesheet implementation in WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 does not properly handle XML external entities, which allows remote attackers to read arbitrary files via a crafted DTD, as demonstrated by a file:///etc/passwd URL in an entity declaration, related to an "XXE attack."
{
"affected": [],
"aliases": [
"CVE-2009-1699"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2009-06-10T18:00:00Z",
"severity": "HIGH"
},
"details": "The XSL stylesheet implementation in WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 does not properly handle XML external entities, which allows remote attackers to read arbitrary files via a crafted DTD, as demonstrated by a file:///etc/passwd URL in an entity declaration, related to an \"XXE attack.\"",
"id": "GHSA-q425-6m5x-qp5p",
"modified": "2024-02-10T03:30:18Z",
"published": "2022-05-02T03:27:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2009-1699"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/8907"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce/2009/Jun/msg00005.html"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce/2009/jun/msg00002.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.html"
},
{
"type": "WEB",
"url": "http://osvdb.org/54972"
},
{
"type": "WEB",
"url": "http://scary.beasts.org/security/CESA-2009-006.html"
},
{
"type": "WEB",
"url": "http://scarybeastsecurity.blogspot.com/2009/06/apples-safari-4-fixes-local-file-theft.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/35379"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/43068"
},
{
"type": "WEB",
"url": "http://support.apple.com/kb/HT3613"
},
{
"type": "WEB",
"url": "http://support.apple.com/kb/HT3639"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/35260"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/35321"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-857-1"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2009/1522"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2009/1621"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2011/0212"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q42M-MP58-HXV5
Vulnerability from github – Published: 2023-10-09 12:30 – Updated: 2024-04-04 08:26In JetBrains Ktor before 2.3.5 default configuration of ContentNegotiation with XML format was vulnerable to XXE
{
"affected": [],
"aliases": [
"CVE-2023-45612"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-09T11:15:11Z",
"severity": "CRITICAL"
},
"details": "In JetBrains Ktor before 2.3.5 default configuration of ContentNegotiation with XML format was vulnerable to XXE",
"id": "GHSA-q42m-mp58-hxv5",
"modified": "2024-04-04T08:26:02Z",
"published": "2023-10-09T12:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45612"
},
{
"type": "WEB",
"url": "https://www.jetbrains.com/privacy-security/issues-fixed"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q43H-4XR8-J6FQ
Vulnerability from github – Published: 2022-05-14 02:47 – Updated: 2022-05-14 02:47XML External Entity (XXE) vulnerability in Milton Webdav before 2.7.0.3.
{
"affected": [],
"aliases": [
"CVE-2015-7326"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-07T14:29:00Z",
"severity": "CRITICAL"
},
"details": "XML External Entity (XXE) vulnerability in Milton Webdav before 2.7.0.3.",
"id": "GHSA-q43h-4xr8-j6fq",
"modified": "2022-05-14T02:47:37Z",
"published": "2022-05-14T02:47:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-7326"
},
{
"type": "WEB",
"url": "https://github.com/miltonio/milton2/commit/5f81b0c48a817d4337d8b0e99ea0b4744ecd720b"
},
{
"type": "WEB",
"url": "https://github.com/miltonio/milton2/commit/b41072b"
},
{
"type": "WEB",
"url": "https://github.com/miltonio/milton2/commit/b5851c1"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/134178/Milton-Webdav-2.7.0.1-XXE-Injection.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/536813/100/0/threaded"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/77392"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q485-J897-QC27
Vulnerability from github – Published: 2019-01-07 19:14 – Updated: 2022-09-14 22:34c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.9.5.2"
},
"package": {
"ecosystem": "Maven",
"name": "com.mchange:c3p0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.5.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-20433"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:50:54Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.",
"id": "GHSA-q485-j897-qc27",
"modified": "2022-09-14T22:34:12Z",
"published": "2019-01-07T19:14:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20433"
},
{
"type": "WEB",
"url": "https://github.com/zhutougg/c3p0/commit/2eb0ea97f745740b18dd45e4a909112d4685f87b"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-q485-j897-qc27"
},
{
"type": "PACKAGE",
"url": "https://github.com/zhutougg/c3p0"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/12/msg00021.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFIVX6HOVNLAM7W3SUAMHYRNLCVQSAWR"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQ47OFV57Y2DAHMGA5H3JOL4WHRWRFN4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "XML External Entity Reference in mchange:c3p0"
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.