CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1694 vulnerabilities reference this CWE, most recent first.
GHSA-5WC4-W63V-97C3
Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2023-10-27 16:00Jenkins Nested View Plugin 1.20 and earlier does not configure its XML transformer to prevent XML external entity (XXE) attacks.
This allows attackers able to configure views to have Jenkins parse a crafted view XML definition that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
Jenkins Nested View Plugin 1.21 disables external entity resolution for its XML transformer.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.20"
},
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:nested-view"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.21"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-21680"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-15T16:48:02Z",
"nvd_published_at": "2021-08-31T14:15:00Z",
"severity": "HIGH"
},
"details": "Jenkins Nested View Plugin 1.20 and earlier does not configure its XML transformer to prevent XML external entity (XXE) attacks.\n\nThis allows attackers able to configure views to have Jenkins parse a crafted view XML definition that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.\n\nJenkins Nested View Plugin 1.21 disables external entity resolution for its XML transformer.",
"id": "GHSA-5wc4-w63v-97c3",
"modified": "2023-10-27T16:00:17Z",
"published": "2022-05-24T19:12:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21680"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/nested-view-plugin/commit/79787294f034b3009c3de557c6441c9ceba936b8"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/nested-view-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2021-08-31/#SECURITY-2411"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/08/31/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "XXE vulnerability in Jenkins Nested View Plugin"
}
GHSA-5WM2-38Q5-5RXV
Vulnerability from github – Published: 2022-05-14 00:56 – Updated: 2023-09-25 14:35Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0 allow remote attackers to cause a denial of service (CPU consumption) via (1) recursive or (2) circular references in an XML entity definition in an XML DOCTYPE declaration, aka an XML Entity Expansion (XEE) attack. NOTE: this issue exists because of an incomplete fix for CVE-2012-6532.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendframework1"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.12.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendopenid"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendrest"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendservice-audioscrobbler"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendservice-nirvanix"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendservice-slideshare"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendservice-technorati"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendservice-windowsazure"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendservice-amazon"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendservice-api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2014-2683"
],
"database_specific": {
"cwe_ids": [
"CWE-611",
"CWE-776"
],
"github_reviewed": true,
"github_reviewed_at": "2023-09-25T14:35:32Z",
"nvd_published_at": "2014-11-16T00:59:00Z",
"severity": "MODERATE"
},
"details": "Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0 allow remote attackers to cause a denial of service (CPU consumption) via (1) recursive or (2) circular references in an XML entity definition in an XML DOCTYPE declaration, aka an XML Entity Expansion (XEE) attack. NOTE: this issue exists because of an incomplete fix for CVE-2012-6532.",
"id": "GHSA-5wm2-38q5-5rxv",
"modified": "2023-09-25T14:35:32Z",
"published": "2022-05-14T00:56:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-2683"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20140419041226/http://www.securityfocus.com/bid/66358"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20150523055201/http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2014:072/?name=MDVSA-2014:072"
},
{
"type": "WEB",
"url": "http://advisories.mageia.org/MGASA-2014-0151.html"
},
{
"type": "WEB",
"url": "http://framework.zend.com/security/advisory/ZF2014-01"
},
{
"type": "WEB",
"url": "http://seclists.org/oss-sec/2014/q2/0"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2015/dsa-3265"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Several Zend Products Vulnerable to XXE and XEE attacks"
}
GHSA-5WM8-GMM8-39J9
Vulnerability from github – Published: 2026-05-08 16:29 – Updated: 2026-05-14 20:37Summary
When an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML.
Detail
Malicious Input
{
a: {
"@_attr": '" onClick="alert(1)'
}
}
Output
<a attr="" onClick="alert(1)"></a>
Workarounds
If you're not ignoring attributes then keep processEntities flag true.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.1.6"
},
"package": {
"ecosystem": "npm",
"name": "fast-xml-builder"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44665"
],
"database_specific": {
"cwe_ids": [
"CWE-611",
"CWE-91"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-08T16:29:10Z",
"nvd_published_at": "2026-05-13T16:16:59Z",
"severity": "HIGH"
},
"details": "# Summary\nWhen an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML.\n\n## Detail\n\nMalicious Input\n```\n{\n a: {\n \"@_attr\": \u0027\" onClick=\"alert(1)\u0027\n }\n}\n```\n\nOutput\n```xml\n\u003ca attr=\"\" onClick=\"alert(1)\"\u003e\u003c/a\u003e\n```\n\n### Workarounds\nIf you\u0027re not ignoring attributes then keep processEntities flag true.",
"id": "GHSA-5wm8-gmm8-39j9",
"modified": "2026-05-14T20:37:36Z",
"published": "2026-05-08T16:29:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/NaturalIntelligence/fast-xml-builder/security/advisories/GHSA-5wm8-gmm8-39j9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44665"
},
{
"type": "PACKAGE",
"url": "https://github.com/NaturalIntelligence/fast-xml-builder"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes"
}
GHSA-5X73-R429-P343
Vulnerability from github – Published: 2026-01-28 03:30 – Updated: 2026-01-28 03:30This High severity XXE (XML External Entity Injection) vulnerability was introduced in version 7.1.0 of Crowd Data Center and Server.
This XXE (XML External Entity Injection) vulnerability, with a CVSS Score of 7.9, allows an authenticated attacker to access local and remote content which has high impact to confidentiality, low impact to integrity, high impact to availability, and requires no user interaction.
Atlassian recommends that Crowd Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
* Crowd Data Center and Server 7.1: Upgrade to a release greater than or equal to 7.1.3
See the release notes (https://confluence.atlassian.com/crowd/crowd-release-notes-199094.html). You can download the latest version of Crowd Data Center and Server from the download center (https://www.atlassian.com/software/crowd/download-archive).
This vulnerability was reported via our Atlassian (Internal) program.
{
"affected": [],
"aliases": [
"CVE-2026-21569"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-28T01:16:14Z",
"severity": "HIGH"
},
"details": "This High severity XXE (XML External Entity Injection) vulnerability was introduced in version 7.1.0 of Crowd Data Center and Server. \n\t\n\tThis XXE (XML External Entity Injection) vulnerability, with a CVSS Score of 7.9, allows an authenticated attacker to access local and remote content which has high impact to confidentiality, low impact to integrity, high impact to availability, and requires no user interaction. \n\t\n\tAtlassian recommends that Crowd Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\n\t\t\n\t\t* Crowd Data Center and Server 7.1: Upgrade to a release greater than or equal to 7.1.3\n\t\t\n\t\t\n\t\n\tSee the release notes (https://confluence.atlassian.com/crowd/crowd-release-notes-199094.html). You can download the latest version of Crowd Data Center and Server from the download center (https://www.atlassian.com/software/crowd/download-archive). \n\t\n\tThis vulnerability was reported via our Atlassian (Internal) program.",
"id": "GHSA-5x73-r429-p343",
"modified": "2026-01-28T03:30:29Z",
"published": "2026-01-28T03:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21569"
},
{
"type": "WEB",
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1712324819"
},
{
"type": "WEB",
"url": "https://jira.atlassian.com/browse/CWD-6453"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5X77-R5QJ-224H
Vulnerability from github – Published: 2023-02-21 09:30 – Updated: 2023-03-03 00:30A vulnerability classified as problematic has been found in UIKit0 libplist 1.12. This affects the function plist_from_xml of the file src/xplist.c of the component XML Handler. The manipulation leads to xml external entity reference. The name of the patch is c086cb139af7c82845f6d565e636073ff4b37440. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-221499.
{
"affected": [],
"aliases": [
"CVE-2015-10082"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-21T07:15:00Z",
"severity": "CRITICAL"
},
"details": "A vulnerability classified as problematic has been found in UIKit0 libplist 1.12. This affects the function plist_from_xml of the file src/xplist.c of the component XML Handler. The manipulation leads to xml external entity reference. The name of the patch is c086cb139af7c82845f6d565e636073ff4b37440. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-221499.",
"id": "GHSA-5x77-r5qj-224h",
"modified": "2023-03-03T00:30:45Z",
"published": "2023-02-21T09:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-10082"
},
{
"type": "WEB",
"url": "https://github.com/UIKit0/libplist/commit/c086cb139af7c82845f6d565e636073ff4b37440"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.221499"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.221499"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5X8P-X36C-4GWR
Vulnerability from github – Published: 2022-11-04 12:00 – Updated: 2022-11-05 12:00CandidATS version 3.0.0 allows an external attacker to read arbitrary files from the server. This is possible because the application is vulnerable to XXE.
{
"affected": [],
"aliases": [
"CVE-2022-42745"
],
"database_specific": {
"cwe_ids": [
"CWE-611",
"CWE-776"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-03T20:15:00Z",
"severity": "HIGH"
},
"details": "CandidATS version 3.0.0 allows an external attacker to read arbitrary files from the server. This is possible because the application is vulnerable to XXE.",
"id": "GHSA-5x8p-x36c-4gwr",
"modified": "2022-11-05T12:00:21Z",
"published": "2022-11-04T12:00:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42745"
},
{
"type": "WEB",
"url": "https://candidats.net"
},
{
"type": "WEB",
"url": "https://fluidattacks.com/advisories/jcole"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5XH7-6V3X-VRHJ
Vulnerability from github – Published: 2022-05-24 17:10 – Updated: 2023-01-14 05:23Rundeck Plugin 3.6.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows a user with Overall/Read access to have Jenkins parse a crafted HTTP request with XML data that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
Rundeck Plugin 3.6.7 disables external entity resolution for its XML parser.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:rundeck"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.6.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-2144"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-14T05:23:09Z",
"nvd_published_at": "2020-03-09T16:15:00Z",
"severity": "HIGH"
},
"details": "Rundeck Plugin 3.6.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.\n\nThis allows a user with Overall/Read access to have Jenkins parse a crafted HTTP request with XML data that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.\n\nRundeck Plugin 3.6.7 disables external entity resolution for its XML parser.",
"id": "GHSA-5xh7-6v3x-vrhj",
"modified": "2023-01-14T05:23:09Z",
"published": "2022-05-24T17:10:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2144"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/rundeck-plugin/commit/9222a2101d994b43b6c399630da978a4cf2ea62f"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/rundeck-plugin"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2020-03-09/#SECURITY-1702"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/03/09/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "XXE vulnerability in Rundeck Plugin"
}
GHSA-5XXV-J4HW-GP2P
Vulnerability from github – Published: 2022-05-14 03:44 – Updated: 2022-05-14 03:44XML external entity (XXE) vulnerability in Zabbix 1.8.x before 1.8.21rc1, 2.0.x before 2.0.13rc1, 2.2.x before 2.2.5rc1, and 2.3.x before 2.3.2 allows remote attackers to read arbitrary files or potentially execute arbitrary code via a crafted DTD in an XML request.
{
"affected": [],
"aliases": [
"CVE-2014-3005"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-02-01T17:29:00Z",
"severity": "CRITICAL"
},
"details": "XML external entity (XXE) vulnerability in Zabbix 1.8.x before 1.8.21rc1, 2.0.x before 2.0.13rc1, 2.2.x before 2.2.5rc1, and 2.3.x before 2.3.2 allows remote attackers to read arbitrary files or potentially execute arbitrary code via a crafted DTD in an XML request.",
"id": "GHSA-5xxv-j4hw-gp2p",
"modified": "2022-05-14T03:44:10Z",
"published": "2022-05-14T03:44:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3005"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1110496"
},
{
"type": "WEB",
"url": "https://support.zabbix.com/browse/ZBX-8151"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20140622034155/http://www.pnigos.com:80/?p=273"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-June/134885.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-June/134909.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2014/Jun/87"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/68075"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6296-MVGP-27HP
Vulnerability from github – Published: 2022-07-08 00:00 – Updated: 2022-07-08 17:53In Eclipse Lyo versions 1.0.0 to 4.1.0, a TransformerFactory is initialized with the defaults that do not restrict DTD loading when working with RDF/XML. This allows an attacker to cause an external DTD to be retrieved.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.1.0"
},
"package": {
"ecosystem": "Maven",
"name": "org.eclipse.lyo:lyo-parent"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "5.0.0.Final"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-41042"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-08T17:53:33Z",
"nvd_published_at": "2022-07-07T21:15:00Z",
"severity": "MODERATE"
},
"details": "In Eclipse Lyo versions 1.0.0 to 4.1.0, a TransformerFactory is initialized with the defaults that do not restrict DTD loading when working with RDF/XML. This allows an attacker to cause an external DTD to be retrieved.",
"id": "GHSA-6296-mvgp-27hp",
"modified": "2022-07-08T17:53:33Z",
"published": "2022-07-08T00:00:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41042"
},
{
"type": "WEB",
"url": "https://github.com/eclipse/lyo/commit/a8b15b7f49ca15e55f6699749c39705d21367c6e"
},
{
"type": "WEB",
"url": "https://github.com/eclipse/lyo"
},
{
"type": "WEB",
"url": "https://github.com/eclipse/lyo/releases/tag/v5.0.0"
},
{
"type": "WEB",
"url": "https://gitlab.eclipse.org/eclipsefdn/emo-team/emo/-/issues/287"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "XML External Entity Reference in Eclipse Lyo"
}
GHSA-63JF-339P-RVPM
Vulnerability from github – Published: 2023-04-13 21:30 – Updated: 2024-04-04 03:27All versions of Talend Data Catalog before 8.0-20230110 are potentially vulnerable to XML External Entity (XXE) attacks in the /MIMBWebServices/license endpoint of the remote harvesting server.
{
"affected": [],
"aliases": [
"CVE-2023-26263"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-13T19:15:00Z",
"severity": "MODERATE"
},
"details": "All versions of Talend Data Catalog before 8.0-20230110 are potentially vulnerable to XML External Entity (XXE) attacks in the /MIMBWebServices/license endpoint of the remote harvesting server.",
"id": "GHSA-63jf-339p-rvpm",
"modified": "2024-04-04T03:27:24Z",
"published": "2023-04-13T21:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26263"
},
{
"type": "WEB",
"url": "https://talend.com"
},
{
"type": "WEB",
"url": "https://www.talend.com/security/incident-response/#CVE-2023-26264"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.