CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1691 vulnerabilities reference this CWE, most recent first.
GHSA-2J3M-GWXG-45RX
Vulnerability from github – Published: 2023-01-30 09:30 – Updated: 2025-03-27 21:30Improper restriction of XML external entity reference (XXE) vulnerability exists in OMRON CX-Motion Pro 1.4.6.013 and earlier. If a user opens a specially crafted project file created by an attacker, sensitive information in the file system where CX-Motion Pro is installed may be disclosed.
{
"affected": [],
"aliases": [
"CVE-2023-22322"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-30T07:15:00Z",
"severity": "MODERATE"
},
"details": "Improper restriction of XML external entity reference (XXE) vulnerability exists in OMRON CX-Motion Pro 1.4.6.013 and earlier. If a user opens a specially crafted project file created by an attacker, sensitive information in the file system where CX-Motion Pro is installed may be disclosed.",
"id": "GHSA-2j3m-gwxg-45rx",
"modified": "2025-03-27T21:30:37Z",
"published": "2023-01-30T09:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22322"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/vu/JVNVU94200979"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2J45-PJ39-84JW
Vulnerability from github – Published: 2022-05-14 01:36 – Updated: 2022-05-14 01:36XXE in GE Proficy Cimplicity GDS versions 9.0 R2, 9.5, 10.0
{
"affected": [],
"aliases": [
"CVE-2018-15362"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-07T15:29:00Z",
"severity": "CRITICAL"
},
"details": "XXE in GE Proficy Cimplicity GDS versions 9.0 R2, 9.5, 10.0",
"id": "GHSA-2j45-pj39-84jw",
"modified": "2022-05-14T01:36:20Z",
"published": "2022-05-14T01:36:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15362"
},
{
"type": "WEB",
"url": "https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/07/klcert-18-025-general-electric-proficy-gds-xml-external-entity-xxe"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-340-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/106133"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2JC4-R94C-RP7H
Vulnerability from github – Published: 2023-08-21 09:30 – Updated: 2025-02-13 19:10Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior to 2.5.2.
When Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used.
This can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways.
Starting with Ivy 2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more lenient via newly introduced system properties where needed.
Users of Ivy prior to version 2.5.2 can use Java system properties to restrict processing of external DTDs, see the section about "JAXP Properties for External Access restrictions" inside Oracle's "Java API for XML Processing (JAXP) Security Guide".
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.ivy:ivy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-46751"
],
"database_specific": {
"cwe_ids": [
"CWE-611",
"CWE-91"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-21T20:39:45Z",
"nvd_published_at": "2023-08-21T07:15:33Z",
"severity": "HIGH"
},
"details": "Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior to 2.5.2.\n\nWhen Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used.\n\nThis can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways.\n\nStarting with Ivy 2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more lenient via newly introduced system properties where needed.\n\nUsers of Ivy prior to version 2.5.2 can use Java system properties to restrict processing of external DTDs, see the section about \"JAXP Properties for External Access restrictions\" inside Oracle\u0027s \"Java API for XML Processing (JAXP) Security Guide\".",
"id": "GHSA-2jc4-r94c-rp7h",
"modified": "2025-02-13T19:10:25Z",
"published": "2023-08-21T09:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46751"
},
{
"type": "WEB",
"url": "https://github.com/apache/ant-ivy/commit/2be17bc18b0e1d4123007d579e43ba1a4b6fab3d"
},
{
"type": "WEB",
"url": "https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-94ABC0EE-9DC8-44F0-84AD-47ADD5340477"
},
{
"type": "WEB",
"url": "https://gitbox.apache.org/repos/asf?p=ant-ivy.git;a=commit;h=2be17bc18b0e1d4123007d579e43ba1a4b6fab3d"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/ant-ivy"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/1dj60hg5nr36kjr4p1100dwjrqookps8"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/9gcz4xrsn8c7o9gb377xfzvkb8jltffr"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/09/06/9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Apache Ivy External Entity Reference vulnerability"
}
GHSA-2JQJ-5QV2-XVCG
Vulnerability from github – Published: 2025-04-10 12:25 – Updated: 2025-04-10 12:26Impact
This security advisory resolves a vulnerability in the RichText field type. By entering a maliciously crafted input into the RichText XML, an attacker could perform an attack using XML external entity (XXE) injection, which might be able to read files on the server. To exploit this vulnerability the attacker would need to already have edit permission to content with RichText fields, which typically means Editor role or higher. The fix removes unsafe elements from XML code, while preserving safe elements.
If you have a stored XXE attack in your content drafts, the fix prevents it from extracting data both during editing and preview. However, if such an attack has already been published and the result is stored in the content, it is unfortunately not possible to detect and remove it by automatic means.
Credits
This vulnerability was discovered and reported to Ibexa by Dennis Henke, Thorsten Niephaus, Marat Aytuganov, and Stephan Sekula of Compass Security Deutschland GmbH. We thank them for reporting it responsibly to us.
Patches
- See "Patched versions"
- https://github.com/ezsystems/ezplatform-richtext/commit/5ba2a82cc3aa6235ecfe87278e20c1451d9df913
Workarounds
- Exploitation requires edit access to RichText content. If you can trust your editors, and you don't grant edit permission to any externals, you are not at risk in practice.
References
- https://developers.ibexa.co/security-advisories/ibexa-sa-2025-002-xxe-vulnerability-in-richtext
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "ezsystems/ezplatform-richtext"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0-beta1"
},
{
"fixed": "2.3.26"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-10T12:25:09Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\nThis security advisory resolves a vulnerability in the RichText field type. By entering a maliciously crafted input into the RichText XML, an attacker could perform an attack using XML external entity (XXE) injection, which might be able to read files on the server. To exploit this vulnerability the attacker would need to already have edit permission to content with RichText fields, which typically means Editor role or higher. The fix removes unsafe elements from XML code, while preserving safe elements.\n\nIf you have a stored XXE attack in your content drafts, the fix prevents it from extracting data both during editing and preview. However, if such an attack has already been published and the result is stored in the content, it is unfortunately not possible to detect and remove it by automatic means.\n\n### Credits\nThis vulnerability was discovered and reported to Ibexa by Dennis Henke, Thorsten Niephaus, Marat Aytuganov, and Stephan Sekula of [Compass Security Deutschland GmbH](https://www.compass-security.com/en/). We thank them for reporting it responsibly to us.\n\n### Patches\n- See \"Patched versions\"\n- https://github.com/ezsystems/ezplatform-richtext/commit/5ba2a82cc3aa6235ecfe87278e20c1451d9df913\n\n### Workarounds\n- Exploitation requires edit access to RichText content. If you can trust your editors, and you don\u0027t grant edit permission to any externals, you are not at risk in practice.\n\n### References\n- https://developers.ibexa.co/security-advisories/ibexa-sa-2025-002-xxe-vulnerability-in-richtext",
"id": "GHSA-2jqj-5qv2-xvcg",
"modified": "2025-04-10T12:26:44Z",
"published": "2025-04-10T12:25:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ezsystems/ezplatform-richtext/security/advisories/GHSA-2jqj-5qv2-xvcg"
},
{
"type": "WEB",
"url": "https://github.com/ezsystems/ezplatform-richtext/commit/5ba2a82cc3aa6235ecfe87278e20c1451d9df913"
},
{
"type": "WEB",
"url": "https://developers.ibexa.co/security-advisories/ibexa-sa-2025-002-xxe-vulnerability-in-richtext"
},
{
"type": "PACKAGE",
"url": "https://github.com/ezsystems/ezplatform-richtext"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "ezsystems/ezplatform-richtext allows access to external entities in XML"
}
GHSA-2JRP-R5X4-HG4W
Vulnerability from github – Published: 2022-05-14 01:11 – Updated: 2022-05-14 01:11A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'.
{
"affected": [],
"aliases": [
"CVE-2019-0756"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-09T02:29:00Z",
"severity": "HIGH"
},
"details": "A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka \u0027MS XML Remote Code Execution Vulnerability\u0027.",
"id": "GHSA-2jrp-r5x4-hg4w",
"modified": "2022-05-14T01:11:04Z",
"published": "2022-05-14T01:11:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0756"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0756"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2JX2-CGJ2-48WC
Vulnerability from github – Published: 2025-05-23 00:30 – Updated: 2025-05-23 00:30Lantronix Device installer is vulnerable to XML external entity (XXE) attacks in configuration files read from the network device. An attacker could obtain credentials, access these network devices, and modify their configurations. An attacker may also gain access to the host running the Device Installer software or the password hash of the user running the application.
{
"affected": [],
"aliases": [
"CVE-2025-4338"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-22T23:15:19Z",
"severity": "MODERATE"
},
"details": "Lantronix Device installer is vulnerable to XML external entity (XXE) attacks in configuration files read from the network device. An attacker could obtain credentials, access these network devices, and modify their configurations. An attacker may also gain access to the host running the Device Installer software or the password hash of the user running the application.",
"id": "GHSA-2jx2-cgj2-48wc",
"modified": "2025-05-23T00:30:19Z",
"published": "2025-05-23T00:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4338"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-142-01"
},
{
"type": "WEB",
"url": "https://www.lantronix.com/products/lantronix-provisioning-manager"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-2JX3-P89P-3F69
Vulnerability from github – Published: 2022-12-21 18:30 – Updated: 2022-12-21 18:30An authenticated user can perform XML eXternal Entity injection in Management Console in Symantec Identity Manager 14.4
{
"affected": [],
"aliases": [
"CVE-2022-25628"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-16T16:15:00Z",
"severity": "HIGH"
},
"details": "An authenticated user can perform XML eXternal Entity injection in Management Console in Symantec Identity Manager 14.4",
"id": "GHSA-2jx3-p89p-3f69",
"modified": "2022-12-21T18:30:24Z",
"published": "2022-12-21T18:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25628"
},
{
"type": "WEB",
"url": "https://support.broadcom.com/external/content/SecurityAdvisories/0/21136"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2JX8-V4HV-GX3H
Vulnerability from github – Published: 2021-06-28 16:45 – Updated: 2021-10-05 17:29| Release Date | Affected Projects | Affected Versions | Access Vector | Security Risk |
|---|---|---|---|---|
| Monday, May 4, 2020 | service-api | Every version, starting from 3.1.0 | Remote | Medium |
Impact
Starting from version 3.1.0 we introduced a new feature of JUnit XML launch import. Unfortunately XML parser was not configured properly to prevent XML external entity (XXE) attacks. This allows a user to import a specifically-crafted XML file that uses external entities for extraction of secrets from Report Portal service-api module or server-side request forgery.
Report Portal versions 4.3.12+ and 5.1.1+ disables external entity resolution for theirs XML parser.
We advise our users install the latest releases we built specifically to address this issue.
Patches
Fixed with https://github.com/reportportal/service-api/pull/1201
Binary Download
https://bintray.com/epam/reportportal/service-api/5.1.1 https://bintray.com/epam/reportportal/service-api/4.3.12
Docker Container Download
- RP v4:
docker pull reportportal/service-api:4.3.12 - RP v5:
docker pull reportportal/service-api:5.1.1
Acknowledgement
The issue was reported to Report Portal Team by an external security researcher. Our Team thanks Julien M. for reporting the issue.
For more information
If you have any questions or comments about this advisory email us: support@reportportal.io
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.epam.reportportal:service-api"
},
"ranges": [
{
"events": [
{
"introduced": "3.1.0"
},
{
"fixed": "4.3.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.epam.reportportal:service-api"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-12642"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2021-06-28T16:45:26Z",
"nvd_published_at": "2020-05-04T16:15:00Z",
"severity": "HIGH"
},
"details": "| Release Date | Affected Projects | Affected Versions | Access Vector| Security Risk |\n|--------------|-------------------|-------------------|---------------|---------------|\n| Monday, May 4, 2020| [service-api](https://github.com/reportportal/service-api) | Every version, starting from 3.1.0 | Remote | Medium |\n\n### Impact\nStarting from version 3.1.0 we introduced a new feature of JUnit XML launch import. Unfortunately XML parser was not configured properly to prevent XML external entity (XXE) attacks. This allows a user to import a specifically-crafted XML file that uses external entities for extraction of secrets from Report Portal service-api module or server-side request forgery.\n\nReport Portal versions 4.3.12+ and 5.1.1+ disables external entity resolution for theirs XML parser.\n\nWe advise our users install the latest releases we built specifically to address this issue.\n\n### Patches\nFixed with https://github.com/reportportal/service-api/pull/1201\n\n### Binary Download\nhttps://bintray.com/epam/reportportal/service-api/5.1.1\nhttps://bintray.com/epam/reportportal/service-api/4.3.12\n\n### Docker Container Download\n* RP v4: `docker pull reportportal/service-api:4.3.12`\n* RP v5: `docker pull reportportal/service-api:5.1.1`\n\n### Acknowledgement\nThe issue was reported to Report Portal Team by an external security researcher.\nOur Team thanks Julien M. for reporting the issue.\n\n### For more information\nIf you have any questions or comments about this advisory email us: [support@reportportal.io](mailto:support@reportportal.io)",
"id": "GHSA-2jx8-v4hv-gx3h",
"modified": "2021-10-05T17:29:41Z",
"published": "2021-06-28T16:45:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/reportportal/reportportal/security/advisories/GHSA-2jx8-v4hv-gx3h"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12642"
},
{
"type": "WEB",
"url": "https://github.com/reportportal/service-api/pull/1201"
},
{
"type": "WEB",
"url": "https://github.com/reportportal/service-api/commit/da4a012abdcc69f02f4255d81466f1f473b7f418"
},
{
"type": "PACKAGE",
"url": "https://github.com/reportportal/reportportal"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "XXE vulnerability in Launch import"
}
GHSA-2M3G-74X3-7W8X
Vulnerability from github – Published: 2025-12-10 00:30 – Updated: 2025-12-10 00:30ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. A high privileged attacker could exploit this vulnerability to access sensitive files and data on the server. Exploitation of this issue requires user interaction and scope is changed.
{
"affected": [],
"aliases": [
"CVE-2025-61823"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-10T00:16:10Z",
"severity": "MODERATE"
},
"details": "ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) vulnerability that could lead to arbitrary file system read. A high privileged attacker could exploit this vulnerability to access sensitive files and data on the server. Exploitation of this issue requires user interaction and scope is changed.",
"id": "GHSA-2m3g-74x3-7w8x",
"modified": "2025-12-10T00:30:23Z",
"published": "2025-12-10T00:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61823"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2MP8-QVQM-3XWQ
Vulnerability from github – Published: 2018-10-17 00:04 – Updated: 2023-09-26 11:23Restlet Framework before 2.3.11, when using SimpleXMLProvider, allows remote attackers to access arbitrary files via an XXE attack in a REST API HTTP request. This affects use of the Jax-rs extension.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.restlet.jse:org.restlet.ext.jaxrs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-14868"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T20:52:36Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "Restlet Framework before 2.3.11, when using SimpleXMLProvider, allows remote attackers to access arbitrary files via an XXE attack in a REST API HTTP request. This affects use of the Jax-rs extension.",
"id": "GHSA-2mp8-qvqm-3xwq",
"modified": "2023-09-26T11:23:36Z",
"published": "2018-10-17T00:04:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14868"
},
{
"type": "WEB",
"url": "https://github.com/restlet/restlet-framework-java/issues/1286"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-2mp8-qvqm-3xwq"
},
{
"type": "PACKAGE",
"url": "https://github.com/restlet/restlet-framework-java"
},
{
"type": "WEB",
"url": "https://github.com/restlet/restlet-framework-java/wiki/XEE-security-enhancements"
},
{
"type": "WEB",
"url": "https://lgtm.com/blog/restlet_CVE-2017-14868"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Restlet Framework Ja-rs extension is vulnerable to XXE when using SimpleXMLProvider"
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.