CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1691 vulnerabilities reference this CWE, most recent first.
GHSA-VQ5H-QGXM-2M39
Vulnerability from github – Published: 2023-04-02 21:30 – Updated: 2023-04-10 16:23Jenkins Crap4J Plugin 0.9 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers able to control Crap Report file contents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:crap4j"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-28680"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2023-04-03T22:55:39Z",
"nvd_published_at": "2023-04-02T21:15:00Z",
"severity": "HIGH"
},
"details": "Jenkins Crap4J Plugin 0.9 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.\n\nThis allows attackers able to control Crap Report file contents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.",
"id": "GHSA-vq5h-qgxm-2m39",
"modified": "2023-04-10T16:23:32Z",
"published": "2023-04-02T21:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28680"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/crap4j-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2023-03-21/#SECURITY-2925"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins Crap4J Plugin vulnerable to XML external entity (XXE) attacks"
}
GHSA-VQMF-2V99-HHQQ
Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34A CWE-611 Improper Restriction of XML External Entity Reference vulnerability exists in EcoStruxure Building Operation WebReports V1.9 - V3.1 that could cause an authenticated remote user being able to inject arbitrary XML code and obtain disclosure of confidential data, denial of service, server side request forgery due to improper configuration of the XML parser.
{
"affected": [],
"aliases": [
"CVE-2020-7572"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-19T22:15:00Z",
"severity": "HIGH"
},
"details": "A CWE-611 Improper Restriction of XML External Entity Reference vulnerability exists in EcoStruxure Building Operation WebReports V1.9 - V3.1 that could cause an authenticated remote user being able to inject arbitrary XML code and obtain disclosure of confidential data, denial of service, server side request forgery due to improper configuration of the XML parser.",
"id": "GHSA-vqmf-2v99-hhqq",
"modified": "2022-05-24T17:34:45Z",
"published": "2022-05-24T17:34:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7572"
},
{
"type": "WEB",
"url": "https://www.se.com/ww/en/download/document/SEVD-2020-315-04"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-VQP6-X5VH-R3F7
Vulnerability from github – Published: 2022-05-13 01:32 – Updated: 2022-05-13 01:32The TIBCO Administrator server component of TIBCO Software Inc.'s TIBCO Administrator - Enterprise Edition, and TIBCO Administrator - Enterprise Edition for z/Linux contains vulnerabilities wherein a malicious user could perform XML external entity expansion (XXE) attacks to disclose host machine information. Affected releases are TIBCO Software Inc.'s TIBCO Administrator - Enterprise Edition: versions up to and including 5.10.0, and TIBCO Administrator - Enterprise Edition for z/Linux: versions up to and including 5.9.1.
{
"affected": [],
"aliases": [
"CVE-2018-5433"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-06-13T13:29:00Z",
"severity": "MODERATE"
},
"details": "The TIBCO Administrator server component of TIBCO Software Inc.\u0027s TIBCO Administrator - Enterprise Edition, and TIBCO Administrator - Enterprise Edition for z/Linux contains vulnerabilities wherein a malicious user could perform XML external entity expansion (XXE) attacks to disclose host machine information. Affected releases are TIBCO Software Inc.\u0027s TIBCO Administrator - Enterprise Edition: versions up to and including 5.10.0, and TIBCO Administrator - Enterprise Edition for z/Linux: versions up to and including 5.9.1.",
"id": "GHSA-vqp6-x5vh-r3f7",
"modified": "2022-05-13T01:32:10Z",
"published": "2022-05-13T01:32:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5433"
},
{
"type": "WEB",
"url": "https://www.tibco.com/support/advisories/2018/06/security-advisory-june-12-2018-tibco-administrator-enterprise-edition-2018-5433"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/104451"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VQQ8-VPHP-8X9C
Vulnerability from github – Published: 2023-05-24 21:30 – Updated: 2024-04-04 04:20The client in OpenText Archive Center Administration through 21.2 allows XXE attacks. Authenticated users of the OpenText Archive Center Administration client (Versions 16.2.3, 21.2, and older versions) could upload XML files to the application that it did not sufficiently validate. As a result, attackers could craft XML files that, when processed by the application, would cause a negative security impact such as data exfiltration or localized denial of service against the application instance and system of the user running it.
{
"affected": [],
"aliases": [
"CVE-2022-41221"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-24T21:15:10Z",
"severity": "HIGH"
},
"details": "The client in OpenText Archive Center Administration through 21.2 allows XXE attacks. Authenticated users of the OpenText Archive Center Administration client (Versions 16.2.3, 21.2, and older versions) could upload XML files to the application that it did not sufficiently validate. As a result, attackers could craft XML files that, when processed by the application, would cause a negative security impact such as data exfiltration or localized denial of service against the application instance and system of the user running it.",
"id": "GHSA-vqq8-vphp-8x9c",
"modified": "2024-04-04T04:20:03Z",
"published": "2023-05-24T21:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41221"
},
{
"type": "WEB",
"url": "https://labs.withsecure.com/advisories/opentext-archive-center-administration-client-xxe-vulnerability"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VQVR-95HX-42FJ
Vulnerability from github – Published: 2022-05-13 01:17 – Updated: 2025-04-12 13:03The Office Open XML (OOXML) feature in Adobe ColdFusion 10 before Update 21 and 11 before Update 10 allows remote attackers to read arbitrary files or send TCP requests to intranet servers via a crafted OOXML spreadsheet containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
{
"affected": [],
"aliases": [
"CVE-2016-4264"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-09-01T23:59:00Z",
"severity": "HIGH"
},
"details": "The Office Open XML (OOXML) feature in Adobe ColdFusion 10 before Update 21 and 11 before Update 10 allows remote attackers to read arbitrary files or send TCP requests to intranet servers via a crafted OOXML spreadsheet containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.",
"id": "GHSA-vqvr-95hx-42fj",
"modified": "2025-04-12T13:03:43Z",
"published": "2022-05-13T01:17:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4264"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/coldfusion/apsb16-30.html"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/40346"
},
{
"type": "WEB",
"url": "http://legalhackers.com/advisories/Adobe-ColdFusion-11-XXE-Exploit-CVE-2016-4264.txt"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/539374/100/0/threaded"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/92684"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1036708"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VR8Q-G5C7-M54M
Vulnerability from github – Published: 2020-12-30 18:35 – Updated: 2022-08-16 19:53Severity
Nokogiri maintainers have evaluated this as Low Severity (CVSS3 2.6).
Description
In Nokogiri versions <= 1.11.0.rc3, XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks.
This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible.
Please note that this security fix was pushed into a new minor version, 1.11.x, rather than a patch release to the 1.10.x branch, because it is a breaking change for some schemas and the risk was assessed to be "Low Severity".
Affected Versions
Nokogiri <= 1.10.10 as well as prereleases 1.11.0.rc1, 1.11.0.rc2, and 1.11.0.rc3
Mitigation
There are no known workarounds for affected versions. Upgrade to Nokogiri 1.11.0.rc4 or later.
If, after upgrading to 1.11.0.rc4 or later, you wish to re-enable network access for resolution of external resources (i.e., return to the previous behavior):
- Ensure the input is trusted. Do not enable this option for untrusted input.
- When invoking the
Nokogiri::XML::Schemaconstructor, pass as the second parameter an instance ofNokogiri::XML::ParseOptionswith theNONETflag turned off.
So if your previous code was:
# in v1.11.0.rc3 and earlier, this call allows resources to be accessed over the network
# but in v1.11.0.rc4 and later, this call will disallow network access for external resources
schema = Nokogiri::XML::Schema.new(schema)
# in v1.11.0.rc4 and later, the following is equivalent to the code above
# (the second parameter is optional, and this demonstrates its default value)
schema = Nokogiri::XML::Schema.new(schema, Nokogiri::XML::ParseOptions::DEFAULT_SCHEMA)
Then you can add the second parameter to indicate that the input is trusted by changing it to:
# in v1.11.0.rc3 and earlier, this would raise an ArgumentError
# but in v1.11.0.rc4 and later, this allows resources to be accessed over the network
schema = Nokogiri::XML::Schema.new(trusted_schema, Nokogiri::XML::ParseOptions.new.nononet)
References
- This issue's public advisory
- Original Hackerone report (private)
- OWASP description of XXE attack
- OWASP description of SSRF attack
Credit
This vulnerability was independently reported by @eric-therond and @gucki.
The Nokogiri maintainers would like to thank HackerOne for providing a secure, responsible mechanism for reporting, and for providing their fantastic service to us.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.10.10"
},
"package": {
"ecosystem": "RubyGems",
"name": "nokogiri"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.11.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-26247"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2020-12-30T18:34:51Z",
"nvd_published_at": "2020-12-30T19:15:00Z",
"severity": "MODERATE"
},
"details": "### Severity\n\nNokogiri maintainers have evaluated this as [__Low Severity__ (CVSS3 2.6)](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N).\n\n\n### Description\n\nIn Nokogiri versions \u003c= 1.11.0.rc3, XML Schemas parsed by `Nokogiri::XML::Schema` are **trusted** by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks.\n\nThis behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as **untrusted** by default whenever possible.\n\nPlease note that this security fix was pushed into a new minor version, 1.11.x, rather than a patch release to the 1.10.x branch, because it is a breaking change for some schemas and the risk was assessed to be \"Low Severity\".\n\n\n### Affected Versions\n\nNokogiri `\u003c= 1.10.10` as well as prereleases `1.11.0.rc1`, `1.11.0.rc2`, and `1.11.0.rc3`\n\n\n### Mitigation\n\nThere are no known workarounds for affected versions. Upgrade to Nokogiri `1.11.0.rc4` or later.\n\nIf, after upgrading to `1.11.0.rc4` or later, you wish to re-enable network access for resolution of external resources (i.e., return to the previous behavior):\n\n1. Ensure the input is trusted. Do not enable this option for untrusted input.\n2. When invoking the `Nokogiri::XML::Schema` constructor, pass as the second parameter an instance of `Nokogiri::XML::ParseOptions` with the `NONET` flag turned off.\n\nSo if your previous code was:\n\n``` ruby\n# in v1.11.0.rc3 and earlier, this call allows resources to be accessed over the network\n# but in v1.11.0.rc4 and later, this call will disallow network access for external resources\nschema = Nokogiri::XML::Schema.new(schema)\n\n# in v1.11.0.rc4 and later, the following is equivalent to the code above\n# (the second parameter is optional, and this demonstrates its default value)\nschema = Nokogiri::XML::Schema.new(schema, Nokogiri::XML::ParseOptions::DEFAULT_SCHEMA)\n```\n\nThen you can add the second parameter to indicate that the input is trusted by changing it to:\n\n``` ruby\n# in v1.11.0.rc3 and earlier, this would raise an ArgumentError \n# but in v1.11.0.rc4 and later, this allows resources to be accessed over the network\nschema = Nokogiri::XML::Schema.new(trusted_schema, Nokogiri::XML::ParseOptions.new.nononet)\n```\n\n\n### References\n\n- [This issue\u0027s public advisory](https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m)\n- [Original Hackerone report (private)](https://hackerone.com/reports/747489)\n- [OWASP description of XXE attack](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing)\n- [OWASP description of SSRF attack](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n\n\n### Credit \n\nThis vulnerability was independently reported by @eric-therond and @gucki.\n\nThe Nokogiri maintainers would like to thank [HackerOne](https://hackerone.com/nokogiri) for providing a secure, responsible mechanism for reporting, and for providing their fantastic service to us.",
"id": "GHSA-vr8q-g5c7-m54m",
"modified": "2022-08-16T19:53:40Z",
"published": "2020-12-30T18:35:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26247"
},
{
"type": "WEB",
"url": "https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/747489"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2020-26247.yml"
},
{
"type": "PACKAGE",
"url": "https://github.com/sparklemotion/nokogiri"
},
{
"type": "WEB",
"url": "https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md#v1110--2021-01-03"
},
{
"type": "WEB",
"url": "https://github.com/sparklemotion/nokogiri/releases/tag/v1.11.0.rc4"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00007.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html"
},
{
"type": "WEB",
"url": "https://rubygems.org/gems/nokogiri"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202208-29"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Nokogiri::XML::Schema trusts input by default, exposing risk of XXE vulnerability"
}
GHSA-VRPQ-QP53-QV56
Vulnerability from github – Published: 2025-05-21 21:31 – Updated: 2026-01-13 22:47In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.eclipse.jgit:org.eclipse.jgit"
},
"ranges": [
{
"events": [
{
"introduced": "7.2.0.202503040940-r"
},
{
"fixed": "7.2.1.202505142326-r"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.eclipse.jgit:org.eclipse.jgit"
},
"ranges": [
{
"events": [
{
"introduced": "7.1.0.202411261347-r"
},
{
"fixed": "7.1.1.202505221757-r"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.eclipse.jgit:org.eclipse.jgit"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0.202409031743-r"
},
{
"fixed": "7.0.1.202505221510-r"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.eclipse.jgit:org.eclipse.jgit"
},
"ranges": [
{
"events": [
{
"introduced": "6.1.0.202203080745-r"
},
{
"fixed": "6.10.1.202505221210-r"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.eclipse.jgit:org.eclipse.jgit"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0.202110060947-m1"
},
{
"fixed": "6.0.0.202111291000-r"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.eclipse.jgit:org.eclipse.jgit"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.13.4.202507202350-r"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-4949"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-22T18:49:33Z",
"nvd_published_at": "2025-05-21T07:16:01Z",
"severity": "MODERATE"
},
"details": "In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues.",
"id": "GHSA-vrpq-qp53-qv56",
"modified": "2026-01-13T22:47:14Z",
"published": "2025-05-21T21:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4949"
},
{
"type": "PACKAGE",
"url": "https://github.com/eclipse-jgit/jgit"
},
{
"type": "WEB",
"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/64"
},
{
"type": "WEB",
"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/281"
},
{
"type": "WEB",
"url": "https://projects.eclipse.org/projects/technology.jgit/releases/5.13.4"
},
{
"type": "WEB",
"url": "https://projects.eclipse.org/projects/technology.jgit/releases/5.13.5"
},
{
"type": "WEB",
"url": "https://projects.eclipse.org/projects/technology.jgit/releases/6.10.1"
},
{
"type": "WEB",
"url": "https://projects.eclipse.org/projects/technology.jgit/releases/7.0.1"
},
{
"type": "WEB",
"url": "https://projects.eclipse.org/projects/technology.jgit/releases/7.1.1"
},
{
"type": "WEB",
"url": "https://projects.eclipse.org/projects/technology.jgit/releases/7.2.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Eclipse JGit XML External Entity (XXE) Vulnerability"
}
GHSA-VV6Q-6HWP-VRGP
Vulnerability from github – Published: 2023-06-29 21:30 – Updated: 2023-07-07 16:30easy-parse v0.1.1 was discovered to contain a XML External Entity Injection (XXE) vulnerability which allows attackers to execute arbitrary code via a crafted XML file.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "easy-parse"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-26710"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2023-06-30T20:36:45Z",
"nvd_published_at": "2023-06-29T21:15:09Z",
"severity": "HIGH"
},
"details": "easy-parse v0.1.1 was discovered to contain a XML External Entity Injection (XXE) vulnerability which allows attackers to execute arbitrary code via a crafted XML file.",
"id": "GHSA-vv6q-6hwp-vrgp",
"modified": "2023-07-07T16:30:07Z",
"published": "2023-06-29T21:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26710"
},
{
"type": "WEB",
"url": "https://github.com/uncmath25/easy-parse/issues/3"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/easy-parse/PYSEC-2023-97.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/uncmath25/easy-parse"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "easy-parse XML External Entity Injection vulnerability"
}
GHSA-VV88-7W5X-843V
Vulnerability from github – Published: 2022-05-24 16:48 – Updated: 2024-04-04 01:00/api/2.0/rest/aggregator/xml in Axentra firmware, used by NETGEAR Stora, Seagate GoFlex Home, and MEDION LifeCloud, has an XXE vulnerability that can be chained with an SSRF bug to gain remote command execution as root. It can be triggered by anyone who knows the IP address of the affected device.
{
"affected": [],
"aliases": [
"CVE-2018-18471"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-06-19T16:15:00Z",
"severity": "CRITICAL"
},
"details": "/api/2.0/rest/aggregator/xml in Axentra firmware, used by NETGEAR Stora, Seagate GoFlex Home, and MEDION LifeCloud, has an XXE vulnerability that can be chained with an SSRF bug to gain remote command execution as root. It can be triggered by anyone who knows the IP address of the affected device.",
"id": "GHSA-vv88-7w5x-843v",
"modified": "2024-04-04T01:00:30Z",
"published": "2022-05-24T16:48:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18471"
},
{
"type": "WEB",
"url": "https://www.wizcase.com/blog/hack-2018"
},
{
"type": "WEB",
"url": "http://www.axentra.com/en"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VV8G-79WF-H38X
Vulnerability from github – Published: 2022-05-17 02:20 – Updated: 2022-05-17 02:20IBM InfoSphere Information Server 9.1, 11.3, and 11.5 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 127155.
{
"affected": [],
"aliases": [
"CVE-2017-1383"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-08-02T17:29:00Z",
"severity": "CRITICAL"
},
"details": "IBM InfoSphere Information Server 9.1, 11.3, and 11.5 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 127155.",
"id": "GHSA-vv8g-79wf-h38x",
"modified": "2022-05-17T02:20:12Z",
"published": "2022-05-17T02:20:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1383"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/127155"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=swg22005803"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.