Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1691 vulnerabilities reference this CWE, most recent first.

GHSA-XP65-54G6-4JPJ

Vulnerability from github – Published: 2022-05-13 01:32 – Updated: 2022-05-13 01:32
VLAI
Details

IBM Security Identity Manager 6.0.0 Virtual Appliance is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 155265.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-2019"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-01-18T16:29:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Security Identity Manager 6.0.0 Virtual Appliance is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 155265.",
  "id": "GHSA-xp65-54g6-4jpj",
  "modified": "2022-05-13T01:32:23Z",
  "published": "2022-05-13T01:32:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-2019"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/155265"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/docview.wss?uid=ibm10794615"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/106657"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XP8P-9RQ5-4WGV

Vulnerability from github – Published: 2022-05-17 03:16 – Updated: 2023-08-03 21:53
VLAI
Summary
ZendXml and Zend Framework contain XXE and XEE Vulnerabilities
Details

The Zend_Xml_Security::scan in ZendXml before 1.0.1 and Zend Framework before 1.12.14, 2.x before 2.4.6, and 2.5.x before 2.5.2, when running under PHP-FPM in a threaded environment, allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "zendframework/zendframework"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.4.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "zendframework/zendframework"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.5.0"
            },
            {
              "fixed": "2.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "zendframework/zendframework1"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.12.0"
            },
            {
              "fixed": "1.12.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "zendframework/zendxml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "zendframework/zendframework"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.12.0"
            },
            {
              "fixed": "1.12.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2015-5161"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611",
      "CWE-776"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-03T21:53:46Z",
    "nvd_published_at": "2015-08-25T17:59:00Z",
    "severity": "MODERATE"
  },
  "details": "The `Zend_Xml_Security::scan` in ZendXml before 1.0.1 and Zend Framework before 1.12.14, 2.x before 2.4.6, and 2.5.x before 2.5.2, when running under PHP-FPM in a threaded environment, allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters.",
  "id": "GHSA-xp8p-9rq5-4wgv",
  "modified": "2023-08-03T21:53:46Z",
  "published": "2022-05-17T03:16:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5161"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zendframework/zf1/issues/393"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zendframework/ZendXml/commit/79f478fa2af85ce1fc18ac132dee5aa714c3b532"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zendframework/zf1/commit/ff7edddf1410b44b5ead857c02698aad9f748d1b"
    },
    {
      "type": "WEB",
      "url": "https://framework.zend.com/security/advisory/ZF2015-06"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/CVE-2015-5161.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/CVE-2015-5161.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendxml/CVE-2015-5161.yaml"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20200228055156/http://www.securityfocus.com/bid/76177"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/37765"
    },
    {
      "type": "WEB",
      "url": "http://framework.zend.com/security/advisory/ZF2015-06"
    },
    {
      "type": "WEB",
      "url": "http://legalhackers.com/advisories/zend-framework-XXE-vuln.txt"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164409.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165147.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165173.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/133068/Zend-Framework-2.4.2-1.12.13-XXE-Injection.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2015/Aug/46"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2015/dsa-3340"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/76177"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "ZendXml and Zend Framework contain XXE and XEE Vulnerabilities"
}

GHSA-XPH3-7HR2-G2JM

Vulnerability from github – Published: 2025-02-06 21:32 – Updated: 2025-02-06 21:32
VLAI
Details

IBM EntireX 11.1 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. An authenticated attacker could exploit this vulnerability to expose sensitive information or consume memory resources.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-54171"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-06T21:15:21Z",
    "severity": "HIGH"
  },
  "details": "IBM EntireX 11.1 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. An authenticated attacker could exploit this vulnerability to expose sensitive information or consume memory resources.",
  "id": "GHSA-xph3-7hr2-g2jm",
  "modified": "2025-02-06T21:32:10Z",
  "published": "2025-02-06T21:32:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54171"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7182693"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XPW4-HQM8-RJ97

Vulnerability from github – Published: 2022-05-13 01:30 – Updated: 2025-04-20 03:50
VLAI
Details

XML external entity (XXE) vulnerability in the Java XML processing functionality in Play before 2.2.6 and 2.3.x before 2.3.5 might allow remote attackers to read arbitrary files, cause a denial of service, or have unspecified other impact via crafted XML data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-3630"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-12-29T22:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "XML external entity (XXE) vulnerability in the Java XML processing functionality in Play before 2.2.6 and 2.3.x before 2.3.5 might allow remote attackers to read arbitrary files, cause a denial of service, or have unspecified other impact via crafted XML data.",
  "id": "GHSA-xpw4-hqm8-rj97",
  "modified": "2025-04-20T03:50:40Z",
  "published": "2022-05-13T01:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3630"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/forum/#!msg/play-framework/7uNX_ImTW08/AogWSjsTAyQJ"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/forum/#!topic/play-framework/WdbFvemsFDQ"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/forum/#%21msg/play-framework/7uNX_ImTW08/AogWSjsTAyQJ"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/forum/#%21topic/play-framework/WdbFvemsFDQ"
    },
    {
      "type": "WEB",
      "url": "https://infocon.org/cons/SyScan/SyScan%202015%20Singapore/SyScan%202015%20Singapore%20presentations/SyScan15%20David%20Jorm%20-%20Finding%20and%20exploiting%20novel%20flaws%20in%20Java%20software.pdf"
    },
    {
      "type": "WEB",
      "url": "https://playframework.com/security/vulnerability/CVE-2014-3630-XmlExternalEntity"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XQ23-VW7C-WG89

Vulnerability from github – Published: 2022-05-17 03:03 – Updated: 2022-05-17 03:03
VLAI
Details

XML external entity vulnerability in PRTG Network Monitor before 16.2.23.3077/3078 allows remote authenticated users to read arbitrary files by creating a new HTTP XML/REST Value sensor that accesses a crafted XML file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-7743"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-01-23T21:59:00Z",
    "severity": "MODERATE"
  },
  "details": "XML external entity vulnerability in PRTG Network Monitor before 16.2.23.3077/3078 allows remote authenticated users to read arbitrary files by creating a new HTTP XML/REST Value sensor that accesses a crafted XML file.",
  "id": "GHSA-xq23-vw7c-wg89",
  "modified": "2022-05-17T03:03:04Z",
  "published": "2022-05-17T03:03:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-7743"
    },
    {
      "type": "WEB",
      "url": "https://packetstormsecurity.com/files/137255/Paessler-PRTG-Network-Monitor-14.4.12.3282-XXE-Injection.html"
    },
    {
      "type": "WEB",
      "url": "https://www.paessler.com/prtg/history/stable#16.2.23.3077"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XQ2Q-8HXC-7JR2

Vulnerability from github – Published: 2022-05-24 17:27 – Updated: 2022-12-20 22:38
VLAI
Summary
XXE vulnerability in Jenkins Valgrind Plugin
Details

Valgrind Plugin 0.28 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows a user able to control the input files for the Valgrind plugin parser to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:valgrind"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.28"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-2245"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-20T22:38:25Z",
    "nvd_published_at": "2020-09-01T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "Valgrind Plugin 0.28 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.\n\nThis allows a user able to control the input files for the Valgrind plugin parser to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.",
  "id": "GHSA-xq2q-8hxc-7jr2",
  "modified": "2022-12-20T22:38:25Z",
  "published": "2022-05-24T17:27:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2245"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/valgrind-plugin"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2020-09-01/#SECURITY-1829"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/09/01/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XXE vulnerability in Jenkins Valgrind Plugin"
}

GHSA-XQ76-5H8Q-6J3H

Vulnerability from github – Published: 2022-05-24 17:27 – Updated: 2022-12-06 21:30
VLAI
Details

WebDAV implementation in Yaws web server versions 1.81 to 2.0.7 is vulnerable to XXE injection.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-24379"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-09-09T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "WebDAV implementation in Yaws web server versions 1.81 to 2.0.7 is vulnerable to XXE injection.",
  "id": "GHSA-xq76-5h8q-6j3h",
  "modified": "2022-12-06T21:30:44Z",
  "published": "2022-05-24T17:27:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24379"
    },
    {
      "type": "WEB",
      "url": "https://github.com/erlyaws/yaws/commits/master"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vulnbe/poc-yaws-dav-xxe"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00022.html"
    },
    {
      "type": "WEB",
      "url": "https://packetstormsecurity.com/files/159106/Yaws-2.0.7-XML-Injection-Command-Injection.html"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4569-1"
    },
    {
      "type": "WEB",
      "url": "https://vuln.be/post/yaws-xxe-and-shell-injections"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2020/dsa-4773"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XQCP-X2J9-XJ7C

Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2022-05-24 19:10
VLAI
Details

XML external entity (XXE) vulnerability affecting certain versions of a Mule runtime component that may affect CloudHub, GovCloud, Runtime Fabric, Pivotal Cloud Foundry, Private Cloud Edition, and on-premise customers.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-1630"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-05T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "XML external entity (XXE) vulnerability affecting certain versions of a Mule runtime component that may affect CloudHub, GovCloud, Runtime Fabric, Pivotal Cloud Foundry, Private Cloud Edition, and on-premise customers.",
  "id": "GHSA-xqcp-x2j9-xj7c",
  "modified": "2022-05-24T19:10:08Z",
  "published": "2022-05-24T19:10:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1630"
    },
    {
      "type": "WEB",
      "url": "https://help.salesforce.com/articleView?id=000362693\u0026type=1\u0026mode=1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-XRH2-C3RM-35JR

Vulnerability from github – Published: 2022-05-24 22:01 – Updated: 2022-11-22 18:45
VLAI
Summary
HornetQ REST vulnerable to Improper Restriction of XML External Entity Reference
Details

HornetQ REST is vulnerable to XML External Entity due to insecure configuration of RestEasy.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.hornetq.rest:hornetq-rest"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.0.Beta1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2014-3599"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-22T18:45:47Z",
    "nvd_published_at": "2019-11-12T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "HornetQ REST is vulnerable to XML External Entity due to insecure configuration of RestEasy.",
  "id": "GHSA-xrh2-c3rm-35jr",
  "modified": "2022-11-22T18:45:47Z",
  "published": "2022-05-24T22:01:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3599"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hornetq/hornetq/commit/b3a63576371828d5f8e64ba7ccbcecb1da8111d2"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/cve-2014-3599"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3599"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/hornetq/hornetq"
    },
    {
      "type": "WEB",
      "url": "https://github.com/victims/victims-cve-db/blob/master/database/java/2014/3599.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "HornetQ REST vulnerable to Improper Restriction of XML External Entity Reference"
}

GHSA-XRHW-GPGR-R7CM

Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2022-05-24 19:05
VLAI
Details

IBM Financial Transaction Manager 3.2.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 192956.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-5003"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-11T15:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "IBM Financial Transaction Manager 3.2.4 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 192956.",
  "id": "GHSA-xrhw-gpgr-r7cm",
  "modified": "2022-05-24T19:05:11Z",
  "published": "2022-05-24T19:05:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5003"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/192956"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6462861"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.