CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1691 vulnerabilities reference this CWE, most recent first.
GHSA-QFJV-998W-Q48F
Vulnerability from github – Published: 2018-11-06 23:15 – Updated: 2024-03-04 21:31An administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not limited to file read, file write, and code execution.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.syncope:syncope-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.syncope:syncope-core"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.0"
},
{
"fixed": "2.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-17186"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:51:44Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "An administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not limited to file read, file write, and code execution.",
"id": "GHSA-qfjv-998w-q48f",
"modified": "2024-03-04T21:31:13Z",
"published": "2018-11-06T23:15:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17186"
},
{
"type": "WEB",
"url": "https://github.com/apache/syncope/commit/a0f35f45f8ca5c98853ae8477fb2db81a84709a"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-qfjv-998w-q48f"
},
{
"type": "WEB",
"url": "https://syncope.apache.org/security#CVE-2018-17186:_XXE_on_BPMN_definitions"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Improper Restriction of XML External Entity Reference in org.apache.syncope:syncope-core"
}
GHSA-QGM7-M77F-J8PF
Vulnerability from github – Published: 2023-04-02 21:30 – Updated: 2023-04-10 16:29Jenkins Performance Publisher Plugin 8.09 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers able to control PerfPublisher report files to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:perfpublisher"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "8.09"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-28682"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2023-04-03T22:55:48Z",
"nvd_published_at": "2023-04-02T21:15:00Z",
"severity": "HIGH"
},
"details": "Jenkins Performance Publisher Plugin 8.09 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.\n\nThis allows attackers able to control PerfPublisher report files to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.",
"id": "GHSA-qgm7-m77f-j8pf",
"modified": "2023-04-10T16:29:54Z",
"published": "2023-04-02T21:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28682"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/perfpublisher-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2023-03-21/#SECURITY-2928"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins Performance Publisher Plugin vulnerable to XML external entity (XXE) attacks"
}
GHSA-QGQ2-9MQ2-X25J
Vulnerability from github – Published: 2023-03-22 00:30 – Updated: 2023-03-24 06:30Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.
{
"affected": [],
"aliases": [
"CVE-2022-45121"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-21T23:15:00Z",
"severity": "MODERATE"
},
"details": "Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.",
"id": "GHSA-qgq2-9mq2-x25j",
"modified": "2023-03-24T06:30:16Z",
"published": "2023-03-22T00:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45121"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-05"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QH3M-QW6V-QVHG
Vulnerability from github – Published: 2018-10-17 16:20 – Updated: 2024-03-04 20:46In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks. This mechanism is exclusively when the developer uses the Eclipse Vert.x OpenAPI XML type validator to validate a provided schema.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "io.vertx:vertx-core"
},
"ranges": [
{
"events": [
{
"introduced": "3.5.0"
},
{
"fixed": "3.5.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-12544"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:51:57Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks. This mechanism is exclusively when the developer uses the Eclipse Vert.x OpenAPI XML type validator to validate a provided schema.",
"id": "GHSA-qh3m-qw6v-qvhg",
"modified": "2024-03-04T20:46:26Z",
"published": "2018-10-17T16:20:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12544"
},
{
"type": "WEB",
"url": "https://github.com/vert-x3/vertx-web/issues/1021"
},
{
"type": "WEB",
"url": "https://github.com/vert-x3/vertx-web/commit/ac8692c618d6180a9bc012a2ac8dbec821b1a97"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:2946"
},
{
"type": "WEB",
"url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=539568"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-qh3m-qw6v-qvhg"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Moderate severity vulnerability that affects io.vertx:vertx-core"
}
GHSA-QH8F-Q734-Q4QJ
Vulnerability from github – Published: 2022-05-11 00:01 – Updated: 2022-05-20 00:00The DOM XML parser and SAX XML parser components of TIBCO Software Inc.'s TIBCO Managed File Transfer Command Center, TIBCO Managed File Transfer Command Center, TIBCO Managed File Transfer Internet Server, and TIBCO Managed File Transfer Internet Server contains an easily exploitable vulnerability that allows an unauthenticated attacker with network access to execute XML External Entity (XXE) attacks on the affected system. Affected releases are TIBCO Software Inc.'s TIBCO Managed File Transfer Command Center: versions 8.3.1 and below, TIBCO Managed File Transfer Command Center: versions 8.4.0 and 8.4.1, TIBCO Managed File Transfer Internet Server: versions 8.3.1 and below, and TIBCO Managed File Transfer Internet Server: versions 8.4.0 and 8.4.1.
{
"affected": [],
"aliases": [
"CVE-2022-22774"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-10T17:15:00Z",
"severity": "CRITICAL"
},
"details": "The DOM XML parser and SAX XML parser components of TIBCO Software Inc.\u0027s TIBCO Managed File Transfer Command Center, TIBCO Managed File Transfer Command Center, TIBCO Managed File Transfer Internet Server, and TIBCO Managed File Transfer Internet Server contains an easily exploitable vulnerability that allows an unauthenticated attacker with network access to execute XML External Entity (XXE) attacks on the affected system. Affected releases are TIBCO Software Inc.\u0027s TIBCO Managed File Transfer Command Center: versions 8.3.1 and below, TIBCO Managed File Transfer Command Center: versions 8.4.0 and 8.4.1, TIBCO Managed File Transfer Internet Server: versions 8.3.1 and below, and TIBCO Managed File Transfer Internet Server: versions 8.4.0 and 8.4.1.",
"id": "GHSA-qh8f-q734-q4qj",
"modified": "2022-05-20T00:00:37Z",
"published": "2022-05-11T00:01:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22774"
},
{
"type": "WEB",
"url": "https://www.tibco.com/services/support/advisories"
},
{
"type": "WEB",
"url": "https://www.tibco.com/support/advisories/2022/05/tibco-security-advisory-may-10-2022-tibco-mftcc-2022-22774"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QJ27-W92H-FC9R
Vulnerability from github – Published: 2022-05-24 17:06 – Updated: 2024-01-30 21:10XML external entity (XXE) vulnerability in Jenkins before 1.600 and LTS before 1.596.1 allows remote attackers to read arbitrary XML files via an XPath query.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.main:jenkins-core"
},
"ranges": [
{
"events": [
{
"introduced": "1.597"
},
{
"fixed": "1.600"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.main:jenkins-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.596.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2015-1809"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-30T21:10:14Z",
"nvd_published_at": "2020-01-15T19:15:00Z",
"severity": "HIGH"
},
"details": "XML external entity (XXE) vulnerability in Jenkins before 1.600 and LTS before 1.596.1 allows remote attackers to read arbitrary XML files via an XPath query.",
"id": "GHSA-qj27-w92h-fc9r",
"modified": "2024-01-30T21:10:14Z",
"published": "2022-05-24T17:06:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-1809"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1205625"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2015-02-27"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "XML external entity (XXE) vulnerability in Jenkins"
}
GHSA-QJ7F-J6H9-G5RQ
Vulnerability from github – Published: 2022-05-17 00:26 – Updated: 2022-11-01 22:33An authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity (XXE) attack. The fix to properly handle XML External Entities was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.nifi:nifi"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-12623"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-01T22:33:57Z",
"nvd_published_at": "2017-10-10T18:29:00Z",
"severity": "MODERATE"
},
"details": "An authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity (XXE) attack. The fix to properly handle XML External Entities was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release.",
"id": "GHSA-qj7f-j6h9-g5rq",
"modified": "2022-11-01T22:33:57Z",
"published": "2022-05-17T00:26:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12623"
},
{
"type": "WEB",
"url": "https://nifi.apache.org/security.html#CVE-2017-12623"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "XML External Entity Reference in Apache NiFi"
}
GHSA-QM84-429W-3353
Vulnerability from github – Published: 2022-05-14 01:22 – Updated: 2022-05-14 01:22Nablarch 5 (5, and 5u1 to 5u13) allows remote attackers to conduct XML External Entity (XXE) attacks via unspecified vectors.
{
"affected": [],
"aliases": [
"CVE-2019-5918"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-03-12T22:29:00Z",
"severity": "CRITICAL"
},
"details": "Nablarch 5 (5, and 5u1 to 5u13) allows remote attackers to conduct XML External Entity (XXE) attacks via unspecified vectors.",
"id": "GHSA-qm84-429w-3353",
"modified": "2022-05-14T01:22:01Z",
"published": "2022-05-14T01:22:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5918"
},
{
"type": "WEB",
"url": "https://nablarch.atlassian.net/projects/NAB/issues/NAB-295"
},
{
"type": "WEB",
"url": "http://jvn.jp/en/jp/JVN56542712/index.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QPJ9-QCWX-8JV2
Vulnerability from github – Published: 2025-06-19 14:29 – Updated: 2025-06-20 14:19Impact
What kind of vulnerability is it? Who is impacted?
In certain places, powsybl-core XML parsing is vulnerable to an XXE attack and in on place also to an SSRF attack.
This allows an attacker to elevate their privileges to read files that they do not have permissions to, including sensitive files on the system.
The vulnerable class is com.powsybl.commons.xml.XmlReader which is considered to be untrusted in use cases where untrusted users can submit their XML to the vulnerable methods. This can be a multi-tenant application that hosts many different users perhaps with different privilege levels.
Am I impacted?
You are vulnerable if you allow untrusted users to import untrusted CGMES or XIIDM network files.
Patches
com.powsybl:powsybl-commons:6.7.2 and higher
References
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.7.1"
},
"package": {
"ecosystem": "Maven",
"name": "com.powsybl:powsybl-commons"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.7.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-47293"
],
"database_specific": {
"cwe_ids": [
"CWE-611",
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-19T14:29:40Z",
"nvd_published_at": "2025-06-19T22:15:19Z",
"severity": "LOW"
},
"details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\nIn certain places, powsybl-core XML parsing is vulnerable to an XXE attack and in on place also to an SSRF attack.\nThis allows an attacker to elevate their privileges to read files that they do not have permissions to, including sensitive files on the system.\nThe vulnerable class is `com.powsybl.commons.xml.XmlReader` which is considered to be untrusted in use cases where untrusted users can submit their XML to the vulnerable methods. This can be a multi-tenant application that hosts many different users perhaps with different privilege levels.\n\n#### Am I impacted?\nYou are vulnerable if you allow untrusted users to import untrusted CGMES or XIIDM network files.\n\n### Patches\ncom.powsybl:powsybl-commons:6.7.2 and higher\n\n### References\n[powsybl-core v6.7.2](https://github.com/powsybl/powsybl-core/releases/tag/v6.7.2)",
"id": "GHSA-qpj9-qcwx-8jv2",
"modified": "2025-06-20T14:19:17Z",
"published": "2025-06-19T14:29:40Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/powsybl/powsybl-core/security/advisories/GHSA-qpj9-qcwx-8jv2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47293"
},
{
"type": "WEB",
"url": "https://github.com/powsybl/powsybl-core/commit/e6c7c4997ae8758b54a2f23ce1a499e25113acdc"
},
{
"type": "PACKAGE",
"url": "https://github.com/powsybl/powsybl-core"
},
{
"type": "WEB",
"url": "https://github.com/powsybl/powsybl-core/releases/tag/v6.7.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "PowSyBl Core XML Reader allows XXE and SSRF"
}
GHSA-QPMC-WPRV-X746
Vulnerability from github – Published: 2022-04-12 21:31 – Updated: 2022-04-12 21:31The SweetXml (aka sweet_xml) package through 0.6.6 for Erlang and Elixir allows attackers to cause a denial of service (resource consumption) via an XML entity expansion attack with an inline DTD.
{
"affected": [
{
"package": {
"ecosystem": "Hex",
"name": "sweet_xml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.7.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-15160"
],
"database_specific": {
"cwe_ids": [
"CWE-611",
"CWE-776"
],
"github_reviewed": true,
"github_reviewed_at": "2022-04-12T21:31:26Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "The SweetXml (aka sweet_xml) package through 0.6.6 for Erlang and Elixir allows attackers to cause a denial of service (resource consumption) via an XML entity expansion attack with an inline DTD.",
"id": "GHSA-qpmc-wprv-x746",
"modified": "2022-04-12T21:31:26Z",
"published": "2022-04-12T21:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15160"
},
{
"type": "WEB",
"url": "https://github.com/kbrw/sweet_xml/issues/71"
},
{
"type": "PACKAGE",
"url": "https://github.com/kbrw/sweet_xml"
},
{
"type": "WEB",
"url": "https://hex.pm/packages/sweet_xml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Inline DTD allows XML bomb attack"
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.