Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1691 vulnerabilities reference this CWE, most recent first.

GHSA-V797-6JMW-529F

Vulnerability from github – Published: 2025-03-25 15:31 – Updated: 2025-03-25 15:31
VLAI
Details

In JetBrains GoLand before 2025.1 an XXE during debugging was possible

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-29932"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-25T13:15:41Z",
    "severity": "MODERATE"
  },
  "details": "In JetBrains GoLand before 2025.1 an XXE during debugging was possible",
  "id": "GHSA-v797-6jmw-529f",
  "modified": "2025-03-25T15:31:29Z",
  "published": "2025-03-25T15:31:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29932"
    },
    {
      "type": "WEB",
      "url": "https://www.jetbrains.com/privacy-security/issues-fixed"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V7CP-2CX9-X793

Vulnerability from github – Published: 2026-05-04 20:56 – Updated: 2026-06-05 14:31
VLAI
Summary
changedetection.io project has an XXE vulnerability
Details

changedetection.io_XXE_01 Vulnerability Report: We discovered a XXE vulnerability in the changedetection.io project

While analyzing the code logic, it was determined that an area may lead to unintended behavior under specific conditions. With the project's security in mind, see the analysis results to discern whether this may indicate a potential security risk.

Overview

  • SOURCE_VERSION: 0.54.9 (9f3a9fdc18bba404244801e5df8109e213ce9ff4)
  • Vulnerability type: XXE
  • Finding title: XML XPath helpers parse untrusted XML with entity resolution left to lxml defaults
  • Affected location: changedetectionio/html_tools.py:287

Root Cause

xpath_filter() switches to XML mode for XML/RSS content and creates etree.XMLParser(strip_cdata=False) without explicitly disabling external entity resolution, external DTD loading, or network-backed entity lookup. The helper then parses untrusted XML bytes directly with etree.fromstring(...).

Source-to-Sink Chain

  1. Untrusted XML/RSS response content is fetched from monitored URLs.
  2. Stream detection marks the content as XML/RSS and the include-filter path invokes xpath_filter(..., is_xml=True).
  3. xpath_filter() builds the default XML parser and calls etree.fromstring(...) at changedetectionio/html_tools.py:287.
  4. External entity declarations in attacker XML can be expanded by parser-default behavior in affected runtime combinations.

Exploitation Preconditions

  1. Attacker controls the watched XML/RSS response body.
  2. The watch uses an XPath include filter that triggers XML helper parsing.
  3. Runtime parser behavior allows external entity expansion (for example, vulnerable dependency/default combinations).
  4. The process can read the referenced local resource.

Risk

The XML helper path can turn watch processing into a local file disclosure primitive when entity expansion is enabled by parser defaults.

Impact

Sensitive local files can be exposed into extracted watch output, diff history, and downstream notification channels.

Remediation

  1. Harden XML parser construction with resolve_entities=False, load_dtd=False, and no_network=True.
  2. Reject DOCTYPE/entity declarations for untrusted XML if DTD features are unnecessary.
  3. Add regression tests that assert external entities are never expanded in XPath XML helper flows.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "changedetection.io"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.54.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41895"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-04T20:56:36Z",
    "nvd_published_at": "2026-05-12T18:17:23Z",
    "severity": "HIGH"
  },
  "details": "# changedetection.io_XXE_01 Vulnerability Report: We discovered a XXE vulnerability in the changedetection.io project\n\nWhile analyzing the code logic, it was determined that an area may lead to unintended behavior under specific conditions. With the project\u0027s security in mind, see the analysis results to discern whether this may indicate a potential security risk.\n\n## Overview\n- SOURCE_VERSION: `0.54.9 (9f3a9fdc18bba404244801e5df8109e213ce9ff4)`\n- Vulnerability type: `XXE`\n- Finding title: `XML XPath helpers parse untrusted XML with entity resolution left to lxml defaults`\n- Affected location: `changedetectionio/html_tools.py:287`\n\n## Root Cause\n`xpath_filter()` switches to XML mode for XML/RSS content and creates `etree.XMLParser(strip_cdata=False)` without explicitly disabling external entity resolution, external DTD loading, or network-backed entity lookup. The helper then parses untrusted XML bytes directly with `etree.fromstring(...)`.\n\n## Source-to-Sink Chain\n1. Untrusted XML/RSS response content is fetched from monitored URLs.\n2. Stream detection marks the content as XML/RSS and the include-filter path invokes `xpath_filter(..., is_xml=True)`.\n3. `xpath_filter()` builds the default XML parser and calls `etree.fromstring(...)` at `changedetectionio/html_tools.py:287`.\n4. External entity declarations in attacker XML can be expanded by parser-default behavior in affected runtime combinations.\n\n## Exploitation Preconditions\n1. Attacker controls the watched XML/RSS response body.\n2. The watch uses an XPath include filter that triggers XML helper parsing.\n3. Runtime parser behavior allows external entity expansion (for example, vulnerable dependency/default combinations).\n4. The process can read the referenced local resource.\n\n## Risk\nThe XML helper path can turn watch processing into a local file disclosure primitive when entity expansion is enabled by parser defaults.\n\n## Impact\nSensitive local files can be exposed into extracted watch output, diff history, and downstream notification channels.\n\n## Remediation\n1. Harden XML parser construction with `resolve_entities=False`, `load_dtd=False`, and `no_network=True`.\n2. Reject `DOCTYPE`/entity declarations for untrusted XML if DTD features are unnecessary.\n3. Add regression tests that assert external entities are never expanded in XPath XML helper flows.",
  "id": "GHSA-v7cp-2cx9-x793",
  "modified": "2026-06-05T14:31:13Z",
  "published": "2026-05-04T20:56:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-v7cp-2cx9-x793"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41895"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dgtlmoon/changedetection.io"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/changedetection-io/PYSEC-2026-29.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "changedetection.io project has an XXE vulnerability"
}

GHSA-V837-QC8G-228C

Vulnerability from github – Published: 2022-07-13 00:00 – Updated: 2022-07-21 00:00
VLAI
Details

Due to improper input sanitization of XML input in SAP Business One - version 10.0, an attacker can perform a denial-of-service attack rendering the system temporarily inoperative.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-35168"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-12T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "Due to improper input sanitization of XML input in SAP Business One - version 10.0, an attacker can perform a denial-of-service attack rendering the system temporarily inoperative.",
  "id": "GHSA-v837-qc8g-228c",
  "modified": "2022-07-21T00:00:27Z",
  "published": "2022-07-13T00:00:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35168"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.support.sap.com/#/notes/3211203"
    },
    {
      "type": "WEB",
      "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V83V-8PQ8-XR74

Vulnerability from github – Published: 2022-05-14 03:06 – Updated: 2022-05-14 03:06
VLAI
Details

netbeans-mmd-plugin version <= 1.4.3 contains a XML External Entity (XXE) vulnerability in MMD file import that can result in Possible information disclosure, server-side request forgery, or remote code execution. This attack appear to be exploitable via Specially crafted MMD file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-1000542"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-06-26T16:29:00Z",
    "severity": "HIGH"
  },
  "details": "netbeans-mmd-plugin version \u003c= 1.4.3 contains a XML External Entity (XXE) vulnerability in MMD file import that can result in Possible information disclosure, server-side request forgery, or remote code execution. This attack appear to be exploitable via Specially crafted MMD file.",
  "id": "GHSA-v83v-8pq8-xr74",
  "modified": "2022-05-14T03:06:31Z",
  "published": "2022-05-14T03:06:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000542"
    },
    {
      "type": "WEB",
      "url": "https://github.com/raydac/netbeans-mmd-plugin/issues/45"
    },
    {
      "type": "WEB",
      "url": "https://0dd.zone/2018/06/02/Netbeans-MMD-Plugin-XXE"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V868-4M83-H5W3

Vulnerability from github – Published: 2026-06-30 21:31 – Updated: 2026-06-30 21:31
VLAI
Details

IBM Business Automation Manager Open Editions 9.0.0 through 9.4.2 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-13449"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-30T20:17:28Z",
    "severity": "HIGH"
  },
  "details": "IBM Business Automation Manager Open Editions 9.0.0 through 9.4.2 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.",
  "id": "GHSA-v868-4m83-h5w3",
  "modified": "2026-06-30T21:31:44Z",
  "published": "2026-06-30T21:31:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-13449"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7278532"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V899-28G4-QMH8

Vulnerability from github – Published: 2021-11-01 19:19 – Updated: 2024-11-18 16:26
VLAI
Summary
XML External Entity vulnerability in Easy-XML
Details

The parseXML function in Easy-XML 0.5.0 was discovered to have a XML External Entity (XXE) vulnerability which allows for an attacker to expose sensitive data or perform a denial of service (DOS) via a crafted external entity entered into the XML content as input.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "easy-xml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-26705"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-11-01T19:12:25Z",
    "nvd_published_at": "2021-10-31T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "The parseXML function in Easy-XML 0.5.0 was discovered to have a XML External Entity (XXE) vulnerability which allows for an attacker to expose sensitive data or perform a denial of service (DOS) via a crafted external entity entered into the XML content as input.",
  "id": "GHSA-v899-28g4-qmh8",
  "modified": "2024-11-18T16:26:16Z",
  "published": "2021-11-01T19:19:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26705"
    },
    {
      "type": "WEB",
      "url": "https://github.com/darkfoxprime/python-easy_xml/issues/1"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-v899-28g4-qmh8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/darkfoxprime/python-easy_xml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/easy-xml/PYSEC-2021-388.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "XML External Entity vulnerability in Easy-XML"
}

GHSA-V8JM-JM42-6G53

Vulnerability from github – Published: 2023-05-11 21:30 – Updated: 2024-04-04 04:02
VLAI
Details

IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 249185.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-27554"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-11T20:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "\nIBM WebSphere Application Server 8.5 and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 249185.\n\n",
  "id": "GHSA-v8jm-jm42-6g53",
  "modified": "2024-04-04T04:02:51Z",
  "published": "2023-05-11T21:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27554"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/249185"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6989451"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V8JR-7G4W-CP39

Vulnerability from github – Published: 2025-07-22 15:32 – Updated: 2025-11-05 00:31
VLAI
Details

An XML External Entity (XXE) injection vulnerability exists in ETQ Reliance on the CG (legacy) platform within the /resources/sessions/sso endpoint. The SAML authentication handler processes XML input without disabling external entity resolution, allowing crafted SAML responses to invoke external entity references. This could enable attackers to retrieve sensitive files or perform server-side request forgery (SSRF). The issue was addressed by disabling external entity processing for the affected XML parser in versions SE.2025.1 and 2025.1.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-34142"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-22T13:15:24Z",
    "severity": "MODERATE"
  },
  "details": "An XML External Entity (XXE) injection vulnerability exists in ETQ Reliance on the CG (legacy) platform within the `/resources/sessions/sso` endpoint. The SAML authentication handler processes XML input without disabling external entity resolution, allowing crafted SAML responses to invoke external entity references. This could enable attackers to retrieve sensitive files or perform server-side request forgery (SSRF). The issue was addressed by disabling external entity processing for the affected XML parser in versions SE.2025.1 and 2025.1.2.",
  "id": "GHSA-v8jr-7g4w-cp39",
  "modified": "2025-11-05T00:31:22Z",
  "published": "2025-07-22T15:32:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34142"
    },
    {
      "type": "WEB",
      "url": "https://slcyber.io/assetnote-security-research-center/how-we-accidentally-discovered-a-remote-code-execution-vulnerability-in-etq-reliance"
    },
    {
      "type": "WEB",
      "url": "https://www.etq.com/blog/etq-reliance-security-update"
    },
    {
      "type": "WEB",
      "url": "https://www.etq.com/product-overview"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/etq-reliance-cg-xxe-injection-in-sso-saml-handler-copy"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-V9XM-X7MC-F74G

Vulnerability from github – Published: 2022-06-15 00:00 – Updated: 2022-06-23 00:00
VLAI
Details

A vulnerability has been identified in Mendix SAML Module (Mendix 7 compatible) (All versions < V1.16.6), Mendix SAML Module (Mendix 8 compatible) (All versions < V2.2.2), Mendix SAML Module (Mendix 9 compatible) (All versions < V3.2.3). The affected module is vulnerable to XML External Entity (XXE) attacks due to insufficient input sanitation. This may allow an attacker to disclose confidential data under certain circumstances.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-32285"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-14T10:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability has been identified in Mendix SAML Module (Mendix 7 compatible) (All versions \u003c V1.16.6), Mendix SAML Module (Mendix 8 compatible) (All versions \u003c V2.2.2), Mendix SAML Module (Mendix 9 compatible) (All versions \u003c V3.2.3). The affected module is vulnerable to XML External Entity (XXE) attacks due to insufficient input sanitation. This may allow an attacker to disclose confidential data under certain circumstances.",
  "id": "GHSA-v9xm-x7mc-f74g",
  "modified": "2022-06-23T00:00:22Z",
  "published": "2022-06-15T00:00:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32285"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-740594.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VC3X-72Q4-G3P5

Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-11-04 18:42
VLAI
Summary
XML External Entity Reference in jbpmmigration
Details

It was discovered that the XmlUtils class in jbpmmigration performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML eXternal Entity (XXE) attacks.

The related jbpm-designer project removed use of jbpmmigration completely as a result.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jbpm.jbpm5:jbpmmigration"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-7545"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-04T18:42:12Z",
    "nvd_published_at": "2018-07-26T15:29:00Z",
    "severity": "MODERATE"
  },
  "details": "It was discovered that the XmlUtils class in jbpmmigration performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML eXternal Entity (XXE) attacks.\n\nThe related jbpm-designer project removed use of jbpmmigration completely as a result.",
  "id": "GHSA-vc3x-72q4-g3p5",
  "modified": "2022-11-04T18:42:12Z",
  "published": "2022-05-13T01:36:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7545"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kiegroup/jbpm-designer/commit/a143f3b92a6a5a527d929d68c02a0c5d914ab81d"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:3354"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:3355"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1474822"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7545"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kiegroup/jbpmmigration"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XML External Entity Reference in jbpmmigration"
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.