CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1694 vulnerabilities reference this CWE, most recent first.
GHSA-3V98-72QW-V7R9
Vulnerability from github – Published: 2022-05-17 02:42 – Updated: 2025-04-20 03:38XXE vulnerability in Hitachi Device Manager before 8.5.2-01 and Hitachi Replication Manager before 8.5.2-00 allows authenticated remote users to read arbitrary files.
{
"affected": [],
"aliases": [
"CVE-2017-9295"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-05-29T18:29:00Z",
"severity": "MODERATE"
},
"details": "XXE vulnerability in Hitachi Device Manager before 8.5.2-01 and Hitachi Replication Manager before 8.5.2-00 allows authenticated remote users to read arbitrary files.",
"id": "GHSA-3v98-72qw-v7r9",
"modified": "2025-04-20T03:38:23Z",
"published": "2022-05-17T02:42:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9295"
},
{
"type": "WEB",
"url": "http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2017-114"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/98761"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3VCG-8P79-JPCV
Vulnerability from github – Published: 2021-05-06 18:52 – Updated: 2024-10-28 14:25The svglib package through 0.9.3 for Python allows XXE attacks via an svg2rlg call.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.9.3"
},
"package": {
"ecosystem": "PyPI",
"name": "svglib"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-10799"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-05T22:26:32Z",
"nvd_published_at": "2020-03-20T23:15:00Z",
"severity": "CRITICAL"
},
"details": "The svglib package through 0.9.3 for Python allows XXE attacks via an `svg2rlg` call.",
"id": "GHSA-3vcg-8p79-jpcv",
"modified": "2024-10-28T14:25:11Z",
"published": "2021-05-06T18:52:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10799"
},
{
"type": "WEB",
"url": "https://github.com/deeplook/svglib/issues/229"
},
{
"type": "WEB",
"url": "https://github.com/deeplook/svglib/commit/35686a130ed260c71a382a8f83d41fd31a46704d"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-3vcg-8p79-jpcv"
},
{
"type": "PACKAGE",
"url": "https://github.com/deeplook/svglib"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/svglib/PYSEC-2020-111.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "SVGlib Vulnerable to XXE Attacks"
}
GHSA-3VCX-W94H-68VG
Vulnerability from github – Published: 2022-05-14 03:40 – Updated: 2024-01-30 23:17Jenkins Android Lint Plugin 2.5 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.5"
},
"package": {
"ecosystem": "Maven",
"name": "org.jvnet.hudson.plugins:android-lint"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-1000055"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-30T23:17:57Z",
"nvd_published_at": "2018-02-09T23:29:00Z",
"severity": "HIGH"
},
"details": "Jenkins Android Lint Plugin 2.5 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.",
"id": "GHSA-3vcx-w94h-68vg",
"modified": "2024-01-30T23:17:57Z",
"published": "2022-05-14T03:40:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000055"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2018-02-05"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H",
"type": "CVSS_V3"
}
],
"summary": "XXE vulnerability in Jenkins Android Lint Plugin"
}
GHSA-3VJC-5X79-M9R8
Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2024-04-25 21:06SilverStripe through 4.6.0-rc1 has an XXE Vulnerability in CSSContentParser. A developer utility meant for parsing HTML within unit tests can be vulnerable to XML External Entity (XXE) attacks. When this developer utility is misused for purposes involving external or user submitted data in custom project code, it can lead to vulnerabilities such as XSS on HTML output rendered through this custom code. This is now mitigated by disabling external entities during parsing. (The correct CVE ID year is 2020 [CVE-2020-25817, not CVE-2021-25817]).
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "silverstripe/framework"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.7.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-25817"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-25T21:06:33Z",
"nvd_published_at": "2021-06-08T18:15:00Z",
"severity": "MODERATE"
},
"details": "SilverStripe through 4.6.0-rc1 has an XXE Vulnerability in CSSContentParser. A developer utility meant for parsing HTML within unit tests can be vulnerable to XML External Entity (XXE) attacks. When this developer utility is misused for purposes involving external or user submitted data in custom project code, it can lead to vulnerabilities such as XSS on HTML output rendered through this custom code. This is now mitigated by disabling external entities during parsing. (The correct CVE ID year is 2020 [CVE-2020-25817, not CVE-2021-25817]).",
"id": "GHSA-3vjc-5x79-m9r8",
"modified": "2024-04-25T21:06:33Z",
"published": "2022-05-24T19:04:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25817"
},
{
"type": "WEB",
"url": "https://forum.silverstripe.org/c/releases"
},
{
"type": "PACKAGE",
"url": "https://github.com/silverstripe/silverstripe-framework"
},
{
"type": "WEB",
"url": "https://www.silverstripe.org/blog/tag/release"
},
{
"type": "WEB",
"url": "https://www.silverstripe.org/download/security-releases"
},
{
"type": "WEB",
"url": "https://www.silverstripe.org/download/security-releases/cve-2021-25817"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "SilverStripe XXE Vulnerability in CSSContentParser"
}
GHSA-3VJH-XRHF-V9XH
Vulnerability from github – Published: 2024-11-15 12:31 – Updated: 2024-11-18 21:23An improper restriction of external entities (XXE) vulnerability in dompdf/dompdf's SVG parser allows for Server-Side Request Forgery (SSRF) and deserialization attacks. This issue affects all versions prior to 2.0.0. The vulnerability can be exploited even if the isRemoteEnabled option is set to false. It allows attackers to perform SSRF, disclose internal image files, and cause PHAR deserialization attacks.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "dompdf/dompdf"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-3902"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2024-11-15T20:49:33Z",
"nvd_published_at": "2024-11-15T11:15:06Z",
"severity": "CRITICAL"
},
"details": "An improper restriction of external entities (XXE) vulnerability in dompdf/dompdf\u0027s SVG parser allows for Server-Side Request Forgery (SSRF) and deserialization attacks. This issue affects all versions prior to 2.0.0. The vulnerability can be exploited even if the isRemoteEnabled option is set to false. It allows attackers to perform SSRF, disclose internal image files, and cause PHAR deserialization attacks.",
"id": "GHSA-3vjh-xrhf-v9xh",
"modified": "2024-11-18T21:23:28Z",
"published": "2024-11-15T12:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3902"
},
{
"type": "WEB",
"url": "https://github.com/dompdf/dompdf/commit/f56bc8e40be6c0ae0825e6c7396f4db80620b799"
},
{
"type": "PACKAGE",
"url": "https://github.com/dompdf/dompdf"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/a6071c07-806f-429a-8656-a4742e4191b1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Improper Restriction of XML External Entity Reference in dompdf/dompdf"
}
GHSA-3VP6-4284-WJ7C
Vulnerability from github – Published: 2024-11-22 21:32 – Updated: 2025-04-10 21:31Possible XML External Entity Injection
in iManager GET parameter has been discovered in OpenText™ iManager 3.2.6.0200.
{
"affected": [],
"aliases": [
"CVE-2023-24466"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-22T16:15:19Z",
"severity": "HIGH"
},
"details": "Possible XML External Entity Injection\n\n\n in iManager GET parameter has been discovered in\nOpenText\u2122 iManager 3.2.6.0200.",
"id": "GHSA-3vp6-4284-wj7c",
"modified": "2025-04-10T21:31:00Z",
"published": "2024-11-22T21:32:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24466"
},
{
"type": "WEB",
"url": "https://www.netiq.com/documentation/imanager-32/pdfdoc/imanager326_patch3_releasenotes/imanager326_patch3_releasenotes.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3VRC-RRPW-R5PW
Vulnerability from github – Published: 2023-02-19 18:30 – Updated: 2024-03-01 14:29A vulnerability was found in java-xmlbuilder up to 1.1. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation leads to xml external entity reference. Upgrading to version 1.2 is able to address this issue. The name of the patch is e6fddca201790abab4f2c274341c0bb8835c3e73. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-221480.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.jamesmurty.utils:java-xmlbuilder"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2014-125087"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-01T20:46:06Z",
"nvd_published_at": "2023-02-19T17:15:00Z",
"severity": "CRITICAL"
},
"details": "A vulnerability was found in java-xmlbuilder up to 1.1. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation leads to xml external entity reference. Upgrading to version 1.2 is able to address this issue. The name of the patch is e6fddca201790abab4f2c274341c0bb8835c3e73. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-221480.",
"id": "GHSA-3vrc-rrpw-r5pw",
"modified": "2024-03-01T14:29:18Z",
"published": "2023-02-19T18:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-125087"
},
{
"type": "WEB",
"url": "https://github.com/jmurty/java-xmlbuilder/issues/6"
},
{
"type": "WEB",
"url": "https://github.com/jmurty/java-xmlbuilder/commit/e6fddca201790abab4f2c274341c0bb8835c3e73"
},
{
"type": "PACKAGE",
"url": "https://github.com/jmurty/java-xmlbuilder"
},
{
"type": "WEB",
"url": "https://github.com/jmurty/java-xmlbuilder/releases/tag/v1.2"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240208-0009"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.221480"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.221480"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "java-xmlbuilder vulnerable to XML External Entity Reference"
}
GHSA-3WC8-659G-R88Q
Vulnerability from github – Published: 2019-01-25 16:18 – Updated: 2025-09-23 15:16Spring Batch versions 3.0.9, 4.0.1, 4.1.0, and older unsupported versions, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.batch:spring-batch-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.10.RELEASE"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.batch:spring-batch-core"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0.RELEASE"
},
{
"fixed": "4.0.2.RELEASE"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.batch:spring-batch-core"
},
"ranges": [
{
"events": [
{
"introduced": "4.1.0.RELEASE"
},
{
"fixed": "4.1.1.RELEASE"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"4.1.0.RELEASE"
]
}
],
"aliases": [
"CVE-2019-3774"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T20:56:44Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "Spring Batch versions 3.0.9, 4.0.1, 4.1.0, and older unsupported versions, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.",
"id": "GHSA-3wc8-659g-r88q",
"modified": "2025-09-23T15:16:31Z",
"published": "2019-01-25T16:18:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3774"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rfea6eebfebb13bc015f258e7fa31d4e24a4202601be3b307da28d530@%3Ccommits.servicemix.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rf83697efcbcfe1131e31bbc7025cb3ee1db5d9185e9481093b2ef961@%3Cissues.servicemix.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/ree71c6425d2cc0e36b77bda6902965a657c1e09c7229459811d66474@%3Cissues.servicemix.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rcd4945d66d8bb2fc92396af56a70ede4af983a2c98166f1281338346@%3Cissues.servicemix.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rcd26a5409af7356b5f69b2fafae3cf621bff8bf155f50e9ccf9ed5f6@%3Cissues.servicemix.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rb9fe3ae33246d7f11604a1c85c861cb013a1e32248a43a0c22457107@%3Cissues.servicemix.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/raae74a9290784e20e86fcd4e2525fa8700aeed6f65f3613b5b04bb11@%3Ccommits.servicemix.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/ra8c7573911082e9968f4835943045ad0952232bb6314becf23dc3de5@%3Cissues.servicemix.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/ra62a3bf48ab4e0e9aaed970b03d79a73224d68a4275858c707542f6c@%3Cissues.servicemix.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/ra329bb85da9da93ac6f9b5fc0fc5446a3af0ee2a62c5de484da0af54@%3Ccommits.servicemix.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r96d90e59bb12af5e5c631dcf7d7d80857a52bf3dc44d5b85553e7fc4@%3Cissues.servicemix.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r79991aeb5d0c53c67e400e037c72758a06607752ca2f23b5302dd61f@%3Cissues.servicemix.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r78645ca0eef44a276e144447fb2087db758b1fb8826d0330b3f0da1a@%3Cissues.servicemix.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r5fbb63e405d2211c16524d33f52e3b122109d3bc88d5f74623fb212d@%3Ccommits.servicemix.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r47c7f67a3067ec09262eef0705abc42ea1b646699d9198bcaf8dad02@%3Cissues.servicemix.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r2349237482bcec43632d9d78d7d2804520d9a82f4d8b1fd96bb616b8@%3Cissues.servicemix.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r08e7ddc354bdcbf95d88399f18b3d804865034f8bc706095e594b29f@%3Cissues.servicemix.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r0153a08177fcfac7584c7b9ea3027f1e8f18f770126f905b9989190e@%3Cissues.servicemix.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r01292194daa9ed3117b34dabec0c26929f6db13b9613fc144f720d52@%3Cissues.servicemix.apache.org%3E"
},
{
"type": "PACKAGE",
"url": "https://github.com/spring-projects/spring-batch"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Low severity vulnerability that affects org.springframework.batch:spring-batch-core"
}
GHSA-3WQV-582C-6CPC
Vulnerability from github – Published: 2024-07-30 21:31 – Updated: 2024-09-30 21:02In versions of Akana API Platform prior to 2024.1.0 a flaw resulting in XML External Entity (XXE) was discovered.
{
"affected": [],
"aliases": [
"CVE-2024-3930"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-30T19:15:10Z",
"severity": "MODERATE"
},
"details": "In versions of Akana API Platform prior to 2024.1.0\u00a0a flaw resulting in XML External Entity (XXE) was discovered.",
"id": "GHSA-3wqv-582c-6cpc",
"modified": "2024-09-30T21:02:12Z",
"published": "2024-07-30T21:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3930"
},
{
"type": "WEB",
"url": "https://portal.perforce.com/s/detail/a91PA000001SUKLYA4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-3WRH-HC8C-4JPW
Vulnerability from github – Published: 2022-05-04 00:00 – Updated: 2022-05-11 00:01A Improper Restriction of XML External Entity Reference vulnerability in SUSE Open Build Service allows remote attackers to reference external entities in certain operations. This can be used to gain information from the server that can be abused to escalate to Admin privileges on OBS. This issue affects: SUSE Open Build Service Open Build Service versions prior to 2.10.13.
{
"affected": [],
"aliases": [
"CVE-2022-21949"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-03T08:15:00Z",
"severity": "HIGH"
},
"details": "A Improper Restriction of XML External Entity Reference vulnerability in SUSE Open Build Service allows remote attackers to reference external entities in certain operations. This can be used to gain information from the server that can be abused to escalate to Admin privileges on OBS. This issue affects: SUSE Open Build Service Open Build Service versions prior to 2.10.13.",
"id": "GHSA-3wrh-hc8c-4jpw",
"modified": "2022-05-11T00:01:55Z",
"published": "2022-05-04T00:00:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21949"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1197928"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.