Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1691 vulnerabilities reference this CWE, most recent first.

GHSA-VFJJ-7584-C34J

Vulnerability from github – Published: 2022-05-24 17:42 – Updated: 2022-05-24 17:42
VLAI
Details

Pelco Digital Sentry Server 7.18.72.11464 has an XML External Entity vulnerability (exploitable via the DTD parameter entities technique), resulting in disclosure and retrieval of arbitrary data on the affected node via an out-of-band (OOB) attack. The vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the ControlPointCacheShare.xml file (in a %APPDATA%\Pelco directory) when DSControlPoint.exe is executed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-27184"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-02-11T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "Pelco Digital Sentry Server 7.18.72.11464 has an XML External Entity vulnerability (exploitable via the DTD parameter entities technique), resulting in disclosure and retrieval of arbitrary data on the affected node via an out-of-band (OOB) attack. The vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the ControlPointCacheShare.xml file (in a %APPDATA%\\Pelco directory) when DSControlPoint.exe is executed.",
  "id": "GHSA-vfjj-7584-c34j",
  "modified": "2022-05-24T17:42:01Z",
  "published": "2022-05-24T17:42:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27184"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vitorespf/Advisories/blob/master/Pelco_Digital_Sentry_Server.txt"
    },
    {
      "type": "WEB",
      "url": "https://support.pelco.com/s/article/What-is-the-Digital-Sentry-software-release-revision-history"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-VFMQ-68HX-4JFW

Vulnerability from github – Published: 2026-04-21 20:38 – Updated: 2026-06-06 00:59
VLAI
Summary
lxml: Default configuration of iterparse() and ETCompatXMLParser() allows XXE to local files
Details

Impact

Using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files.

Patches

lxml 6.1.0 changes the default to resolve_entities='internal', thus disallowing local file access by default.

Workarounds

Setting the resolve_entities option explicitly to resolve_entities='internal' or resolve_entities=False disables the local file access.

Resources

Original report: https://bugs.launchpad.net/lxml/+bug/2146291

The default option was changed to resolve_entities='internal' for the normal XML and HTML parsers in lxml 5.0. The default was not changed for iterparse() and ETCompatXMLParser() at the time. lxml 6.1 makes the safe option the default for all parsers.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "lxml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41066"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-21T20:38:44Z",
    "nvd_published_at": "2026-04-24T17:16:20Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nUsing either of the two parsers in the default configuration (with `resolve_entities=True`) allows untrusted XML input to read local files.\n\n### Patches\nlxml 6.1.0 changes the default to `resolve_entities=\u0027internal\u0027`, thus disallowing local file access by default.\n\n### Workarounds\nSetting the `resolve_entities` option explicitly to `resolve_entities=\u0027internal\u0027` or `resolve_entities=False` disables the local file access.\n\n### Resources\nOriginal report: https://bugs.launchpad.net/lxml/+bug/2146291\n\nThe default option was changed to `resolve_entities=\u0027internal\u0027` for the normal XML and HTML parsers in lxml 5.0. The default was not changed for `iterparse()` and `ETCompatXMLParser()` at the time. lxml 6.1 makes the safe option the default for all parsers.",
  "id": "GHSA-vfmq-68hx-4jfw",
  "modified": "2026-06-06T00:59:15Z",
  "published": "2026-04-21T20:38:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/lxml/lxml/security/advisories/GHSA-vfmq-68hx-4jfw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41066"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/lxml/+bug/2146291"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/lxml/lxml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lxml/lxml/releases/tag/lxml-6.1.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/lxml/PYSEC-2026-87.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "lxml: Default configuration of iterparse() and ETCompatXMLParser() allows XXE to local files"
}

GHSA-VFMW-MCW8-M32F

Vulnerability from github – Published: 2024-10-16 18:31 – Updated: 2024-10-21 18:30
VLAI
Details

Improper Restriction of XML External Entity Reference vulnerability in OpenText Application Automation Tools allows DTD Injection.This issue affects OpenText Application Automation Tools: 24.1.0 and below.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-4690"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-16T17:15:17Z",
    "severity": "MODERATE"
  },
  "details": "Improper Restriction of XML External Entity Reference vulnerability in OpenText Application Automation Tools allows DTD Injection.This issue affects OpenText Application Automation Tools: 24.1.0 and below.",
  "id": "GHSA-vfmw-mcw8-m32f",
  "modified": "2024-10-21T18:30:45Z",
  "published": "2024-10-16T18:31:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4690"
    },
    {
      "type": "WEB",
      "url": "https://portal.microfocus.com/s/article/KM000033548?language=en_US"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:D/RE:L/U:Green",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-VG35-VC9F-Q7X2

Vulnerability from github – Published: 2019-07-26 16:09 – Updated: 2024-09-27 18:25
VLAI
Summary
Improper Restriction of XML External Entity Reference in ladon
Details

Ladon since 0.6.1 (since ebef0aae48af78c159b6fce81bc6f5e7e0ddb059) is affected by: XML External Entity (XXE). The impact is: Information Disclosure, reading files and reaching internal network endpoints. The component is: SOAP request handlers. For instance: https://bitbucket.org/jakobsg/ladon/src/42944fc012a3a48214791c120ee5619434505067/src/ladon/interfaces/soap.py#lines-688. The attack vector is: Send a specially crafted SOAP call.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ladon"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.6.1"
            },
            {
              "last_affected": "1.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-1010268"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2019-07-25T15:54:06Z",
    "nvd_published_at": "2019-07-18T17:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Ladon since 0.6.1 (since ebef0aae48af78c159b6fce81bc6f5e7e0ddb059) is affected by: XML External Entity (XXE). The impact is: Information Disclosure, reading files and reaching internal network endpoints. The component is: SOAP request handlers. For instance: https://bitbucket.org/jakobsg/ladon/src/42944fc012a3a48214791c120ee5619434505067/src/ladon/interfaces/soap.py#lines-688. The attack vector is: Send a specially crafted SOAP call.",
  "id": "GHSA-vg35-vc9f-q7x2",
  "modified": "2024-09-27T18:25:35Z",
  "published": "2019-07-26T16:09:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010268"
    },
    {
      "type": "PACKAGE",
      "url": "https://bitbucket.org/jakobsg/ladon"
    },
    {
      "type": "WEB",
      "url": "https://bitbucket.org/jakobsg/ladon/pull-requests/9"
    },
    {
      "type": "WEB",
      "url": "https://bitbucket.org/jakobsg/ladon/src/42944fc012a3a48214791c120ee5619434505067/src/ladon/interfaces/soap.py#lines-688"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-vg35-vc9f-q7x2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/ladon/PYSEC-2019-184.yaml"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/43113"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Improper Restriction of XML External Entity Reference in ladon"
}

GHSA-VGVW-M3X5-GRC3

Vulnerability from github – Published: 2022-05-13 01:45 – Updated: 2022-05-13 01:45
VLAI
Details

An XML External Entity vulnerability in the web-based user interface of the Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to have read access to part of the information stored in the affected system. More Information: CSCvc04845. Known Affected Releases: 5.8(2.5).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-3839"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-02-22T02:59:00Z",
    "severity": "MODERATE"
  },
  "details": "An XML External Entity vulnerability in the web-based user interface of the Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to have read access to part of the information stored in the affected system. More Information: CSCvc04845. Known Affected Releases: 5.8(2.5).",
  "id": "GHSA-vgvw-m3x5-grc3",
  "modified": "2022-05-13T01:45:55Z",
  "published": "2022-05-13T01:45:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-3839"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-acs1"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/96236"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1037836"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VH3X-X68X-6R47

Vulnerability from github – Published: 2022-05-24 17:41 – Updated: 2022-05-24 17:41
VLAI
Details

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 194882.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-20353"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-02-10T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 194882.",
  "id": "GHSA-vh3x-x68x-6r47",
  "modified": "2022-05-24T17:41:45Z",
  "published": "2022-05-24T17:41:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20353"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/194882"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6413709"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-174"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-VHFP-9WVJ-GWVG

Vulnerability from github – Published: 2021-11-01 19:19 – Updated: 2021-11-03 14:51
VLAI
Summary
XML External Entity vulnerability in MODX CMS
Details

A XML External Entity (XXE) vulnerability was discovered in the modRestServiceRequest component in MODX CMS 2.7.3 which can lead to an information disclosure or denial of service (DOS).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "modx/revolution"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-25911"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-11-01T19:08:06Z",
    "nvd_published_at": "2021-10-31T19:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A XML External Entity (XXE) vulnerability was discovered in the modRestServiceRequest component in MODX CMS 2.7.3 which can lead to an information disclosure or denial of service (DOS).",
  "id": "GHSA-vhfp-9wvj-gwvg",
  "modified": "2021-11-03T14:51:31Z",
  "published": "2021-11-01T19:19:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25911"
    },
    {
      "type": "WEB",
      "url": "https://github.com/modxcms/revolution/issues/15237"
    },
    {
      "type": "WEB",
      "url": "https://github.com/modxcms/revolution/pull/15238"
    },
    {
      "type": "WEB",
      "url": "https://github.com/modxcms/revolution/pull/15238/commits/1b7ffe02df30f05dbf67dd15e4d8101687c1585a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dahua966/Vul_disclose/blob/main/XXE_modxcms.md"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/modxcms/revolution"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XML External Entity vulnerability in MODX CMS"
}

GHSA-VHHC-MR4W-PMW6

Vulnerability from github – Published: 2022-05-14 01:08 – Updated: 2022-05-14 01:08
VLAI
Details

The SOAP parser in PHP before 5.3.22 and 5.4.x before 5.4.12 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue in the soap_xmlParseFile and soap_xmlParseMemory functions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2013-1824"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2013-09-16T13:02:00Z",
    "severity": "MODERATE"
  },
  "details": "The SOAP parser in PHP before 5.3.22 and 5.4.x before 5.4.12 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue in the soap_xmlParseFile and soap_xmlParseMemory functions.",
  "id": "GHSA-vhhc-mr4w-pmw6",
  "modified": "2022-05-14T01:08:03Z",
  "published": "2022-05-14T01:08:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1824"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=918187"
    },
    {
      "type": "WEB",
      "url": "http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=188c196d4da60bdde9190d2fc532650d17f7af2d"
    },
    {
      "type": "WEB",
      "url": "http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=afe98b7829d50806559acac9b530acb8283c3bf4"
    },
    {
      "type": "WEB",
      "url": "http://git.php.net/?p=php-src.git;a=commit;h=188c196d4da60bdde9190d2fc532650d17f7af2d"
    },
    {
      "type": "WEB",
      "url": "http://git.php.net/?p=php-src.git;a=commit;h=afe98b7829d50806559acac9b530acb8283c3bf4"
    },
    {
      "type": "WEB",
      "url": "http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html"
    },
    {
      "type": "WEB",
      "url": "http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-1824.html"
    },
    {
      "type": "WEB",
      "url": "http://support.apple.com/kb/HT5880"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-VHWV-8897-JM7Q

Vulnerability from github – Published: 2022-10-19 19:00 – Updated: 2022-12-16 19:56
VLAI
Summary
XXE vulnerability in Jenkins Compuware Topaz for Total Test Plugin
Details

Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control the input files for the 'Topaz for Total Test - Execute Total Test scenarios' build step to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.4.8"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "com.compuware.jenkins:compuware-topaz-for-total-test"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.4.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-43430"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-10-19T21:22:06Z",
    "nvd_published_at": "2022-10-19T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.\n\nThis allows attackers able to control the input files for the \u0027Topaz for Total Test - Execute Total Test scenarios\u0027 build step to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.",
  "id": "GHSA-vhwv-8897-jm7q",
  "modified": "2022-12-16T19:56:42Z",
  "published": "2022-10-19T19:00:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43430"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/compuware-topaz-for-total-test-plugin/commit/9ce24fb63fcdb94290340d2ec53f478635c416ab"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/compuware-topaz-for-total-test-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2625"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/10/19/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XXE vulnerability in Jenkins Compuware Topaz for Total Test Plugin"
}

GHSA-VJ49-J7RC-H54F

Vulnerability from github – Published: 2023-08-25 21:30 – Updated: 2023-09-01 17:35
VLAI
Summary
Esoteric YamlBeans XML Entity Expansion vulnerability
Details

An issue was discovered in Esoteric YamlBeans through 1.15. A crafted YAML document is able perform am XML Entity Expansion attack against YamlBeans YamlReader. By exploiting the Anchor feature in YAML, it is possible to generate a small YAML document that, when read, is expanded to a large size, causing CPU and memory consumption, such as a Java Out-of-Memory exception.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.esotericsoftware.yamlbeans:yamlbeans"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-24620"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-25T22:04:01Z",
    "nvd_published_at": "2023-08-25T20:15:07Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Esoteric YamlBeans through 1.15. A crafted YAML document is able perform am XML Entity Expansion attack against YamlBeans YamlReader. By exploiting the Anchor feature in YAML, it is possible to generate a small YAML document that, when read, is expanded to a large size, causing CPU and memory consumption, such as a Java Out-of-Memory exception.",
  "id": "GHSA-vj49-j7rc-h54f",
  "modified": "2023-09-01T17:35:22Z",
  "published": "2023-08-25T21:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24620"
    },
    {
      "type": "WEB",
      "url": "https://contrastsecurity.com"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Contrast-Security-OSS/yamlbeans/blob/main/SECURITY.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/EsotericSoftware"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/EsotericSoftware/yamlbeans"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Esoteric YamlBeans XML Entity Expansion vulnerability"
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.