Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1694 vulnerabilities reference this CWE, most recent first.

GHSA-5WC4-W63V-97C3

Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2023-10-27 16:00
VLAI
Summary
XXE vulnerability in Jenkins Nested View Plugin
Details

Jenkins Nested View Plugin 1.20 and earlier does not configure its XML transformer to prevent XML external entity (XXE) attacks.

This allows attackers able to configure views to have Jenkins parse a crafted view XML definition that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Jenkins Nested View Plugin 1.21 disables external entity resolution for its XML transformer.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.20"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:nested-view"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.21"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21680"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-15T16:48:02Z",
    "nvd_published_at": "2021-08-31T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "Jenkins Nested View Plugin 1.20 and earlier does not configure its XML transformer to prevent XML external entity (XXE) attacks.\n\nThis allows attackers able to configure views to have Jenkins parse a crafted view XML definition that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.\n\nJenkins Nested View Plugin 1.21 disables external entity resolution for its XML transformer.",
  "id": "GHSA-5wc4-w63v-97c3",
  "modified": "2023-10-27T16:00:17Z",
  "published": "2022-05-24T19:12:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21680"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/nested-view-plugin/commit/79787294f034b3009c3de557c6441c9ceba936b8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/nested-view-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2021-08-31/#SECURITY-2411"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/08/31/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XXE vulnerability in Jenkins Nested View Plugin"
}

GHSA-5WM2-38Q5-5RXV

Vulnerability from github – Published: 2022-05-14 00:56 – Updated: 2023-09-25 14:35
VLAI
Summary
Several Zend Products Vulnerable to XXE and XEE attacks
Details

Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0 allow remote attackers to cause a denial of service (CPU consumption) via (1) recursive or (2) circular references in an XML entity definition in an XML DOCTYPE declaration, aka an XML Entity Expansion (XEE) attack. NOTE: this issue exists because of an incomplete fix for CVE-2012-6532.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "zendframework/zendframework1"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.12.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "zendframework/zendopenid"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "zendframework/zendrest"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "zendframework/zendservice-audioscrobbler"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "zendframework/zendservice-nirvanix"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "zendframework/zendservice-slideshare"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "zendframework/zendservice-technorati"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "zendframework/zendservice-windowsazure"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "zendframework/zendservice-amazon"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "zendframework/zendservice-api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2014-2683"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611",
      "CWE-776"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-09-25T14:35:32Z",
    "nvd_published_at": "2014-11-16T00:59:00Z",
    "severity": "MODERATE"
  },
  "details": "Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0 allow remote attackers to cause a denial of service (CPU consumption) via (1) recursive or (2) circular references in an XML entity definition in an XML DOCTYPE declaration, aka an XML Entity Expansion (XEE) attack.  NOTE: this issue exists because of an incomplete fix for CVE-2012-6532.",
  "id": "GHSA-5wm2-38q5-5rxv",
  "modified": "2023-09-25T14:35:32Z",
  "published": "2022-05-14T00:56:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-2683"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20140419041226/http://www.securityfocus.com/bid/66358"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20150523055201/http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2014:072/?name=MDVSA-2014:072"
    },
    {
      "type": "WEB",
      "url": "http://advisories.mageia.org/MGASA-2014-0151.html"
    },
    {
      "type": "WEB",
      "url": "http://framework.zend.com/security/advisory/ZF2014-01"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/oss-sec/2014/q2/0"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2015/dsa-3265"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Several Zend Products Vulnerable to XXE and XEE attacks"
}

GHSA-5WM8-GMM8-39J9

Vulnerability from github – Published: 2026-05-08 16:29 – Updated: 2026-05-14 20:37
VLAI
Summary
fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes
Details

Summary

When an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML.

Detail

Malicious Input

{
      a: {
        "@_attr": '" onClick="alert(1)'
      }
}

Output

<a attr="" onClick="alert(1)"></a>

Workarounds

If you're not ignoring attributes then keep processEntities flag true.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.1.6"
      },
      "package": {
        "ecosystem": "npm",
        "name": "fast-xml-builder"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44665"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611",
      "CWE-91"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T16:29:10Z",
    "nvd_published_at": "2026-05-13T16:16:59Z",
    "severity": "HIGH"
  },
  "details": "# Summary\nWhen an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML.\n\n## Detail\n\nMalicious Input\n```\n{\n      a: {\n        \"@_attr\": \u0027\" onClick=\"alert(1)\u0027\n      }\n}\n```\n\nOutput\n```xml\n\u003ca attr=\"\" onClick=\"alert(1)\"\u003e\u003c/a\u003e\n```\n\n### Workarounds\nIf you\u0027re not ignoring attributes then keep processEntities flag true.",
  "id": "GHSA-5wm8-gmm8-39j9",
  "modified": "2026-05-14T20:37:36Z",
  "published": "2026-05-08T16:29:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/NaturalIntelligence/fast-xml-builder/security/advisories/GHSA-5wm8-gmm8-39j9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44665"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/NaturalIntelligence/fast-xml-builder"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes"
}

GHSA-5X73-R429-P343

Vulnerability from github – Published: 2026-01-28 03:30 – Updated: 2026-01-28 03:30
VLAI
Details

This High severity XXE (XML External Entity Injection) vulnerability was introduced in version 7.1.0 of Crowd Data Center and Server.

This XXE (XML External Entity Injection) vulnerability, with a CVSS Score of 7.9, allows an authenticated attacker to access local and remote content which has high impact to confidentiality, low impact to integrity, high impact to availability, and requires no user interaction.

Atlassian recommends that Crowd Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:

    * Crowd Data Center and Server 7.1: Upgrade to a release greater than or equal to 7.1.3



See the release notes (https://confluence.atlassian.com/crowd/crowd-release-notes-199094.html). You can download the latest version of Crowd Data Center and Server from the download center (https://www.atlassian.com/software/crowd/download-archive).

This vulnerability was reported via our Atlassian (Internal) program.
Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-21569"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-28T01:16:14Z",
    "severity": "HIGH"
  },
  "details": "This High severity XXE (XML External Entity Injection) vulnerability was introduced in version 7.1.0 of Crowd Data Center and Server. \n\t\n\tThis XXE (XML External Entity Injection) vulnerability, with a CVSS Score of 7.9, allows an authenticated attacker to access local and remote content which has high impact to confidentiality, low impact to integrity, high impact to availability, and requires no user interaction. \n\t\n\tAtlassian recommends that Crowd Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\n\t\t\n\t\t* Crowd Data Center and Server 7.1: Upgrade to a release greater than or equal to 7.1.3\n\t\t\n\t\t\n\t\n\tSee the release notes (https://confluence.atlassian.com/crowd/crowd-release-notes-199094.html). You can download the latest version of Crowd Data Center and Server from the download center (https://www.atlassian.com/software/crowd/download-archive). \n\t\n\tThis vulnerability was reported via our Atlassian (Internal) program.",
  "id": "GHSA-5x73-r429-p343",
  "modified": "2026-01-28T03:30:29Z",
  "published": "2026-01-28T03:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21569"
    },
    {
      "type": "WEB",
      "url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1712324819"
    },
    {
      "type": "WEB",
      "url": "https://jira.atlassian.com/browse/CWD-6453"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5X77-R5QJ-224H

Vulnerability from github – Published: 2023-02-21 09:30 – Updated: 2023-03-03 00:30
VLAI
Details

A vulnerability classified as problematic has been found in UIKit0 libplist 1.12. This affects the function plist_from_xml of the file src/xplist.c of the component XML Handler. The manipulation leads to xml external entity reference. The name of the patch is c086cb139af7c82845f6d565e636073ff4b37440. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-221499.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-10082"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-21T07:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability classified as problematic has been found in UIKit0 libplist 1.12. This affects the function plist_from_xml of the file src/xplist.c of the component XML Handler. The manipulation leads to xml external entity reference. The name of the patch is c086cb139af7c82845f6d565e636073ff4b37440. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-221499.",
  "id": "GHSA-5x77-r5qj-224h",
  "modified": "2023-03-03T00:30:45Z",
  "published": "2023-02-21T09:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-10082"
    },
    {
      "type": "WEB",
      "url": "https://github.com/UIKit0/libplist/commit/c086cb139af7c82845f6d565e636073ff4b37440"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.221499"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.221499"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5X8P-X36C-4GWR

Vulnerability from github – Published: 2022-11-04 12:00 – Updated: 2022-11-05 12:00
VLAI
Details

CandidATS version 3.0.0 allows an external attacker to read arbitrary files from the server. This is possible because the application is vulnerable to XXE.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-42745"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611",
      "CWE-776"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-03T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "CandidATS version 3.0.0 allows an external attacker to read arbitrary files from the server. This is possible because the application is vulnerable to XXE.",
  "id": "GHSA-5x8p-x36c-4gwr",
  "modified": "2022-11-05T12:00:21Z",
  "published": "2022-11-04T12:00:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42745"
    },
    {
      "type": "WEB",
      "url": "https://candidats.net"
    },
    {
      "type": "WEB",
      "url": "https://fluidattacks.com/advisories/jcole"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5XH7-6V3X-VRHJ

Vulnerability from github – Published: 2022-05-24 17:10 – Updated: 2023-01-14 05:23
VLAI
Summary
XXE vulnerability in Rundeck Plugin
Details

Rundeck Plugin 3.6.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows a user with Overall/Read access to have Jenkins parse a crafted HTTP request with XML data that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Rundeck Plugin 3.6.7 disables external entity resolution for its XML parser.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:rundeck"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.6.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-2144"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-14T05:23:09Z",
    "nvd_published_at": "2020-03-09T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "Rundeck Plugin 3.6.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.\n\nThis allows a user with Overall/Read access to have Jenkins parse a crafted HTTP request with XML data that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.\n\nRundeck Plugin 3.6.7 disables external entity resolution for its XML parser.",
  "id": "GHSA-5xh7-6v3x-vrhj",
  "modified": "2023-01-14T05:23:09Z",
  "published": "2022-05-24T17:10:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2144"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/rundeck-plugin/commit/9222a2101d994b43b6c399630da978a4cf2ea62f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/rundeck-plugin"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2020-03-09/#SECURITY-1702"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/03/09/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XXE vulnerability in Rundeck Plugin"
}

GHSA-5XXV-J4HW-GP2P

Vulnerability from github – Published: 2022-05-14 03:44 – Updated: 2022-05-14 03:44
VLAI
Details

XML external entity (XXE) vulnerability in Zabbix 1.8.x before 1.8.21rc1, 2.0.x before 2.0.13rc1, 2.2.x before 2.2.5rc1, and 2.3.x before 2.3.2 allows remote attackers to read arbitrary files or potentially execute arbitrary code via a crafted DTD in an XML request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-3005"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-02-01T17:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "XML external entity (XXE) vulnerability in Zabbix 1.8.x before 1.8.21rc1, 2.0.x before 2.0.13rc1, 2.2.x before 2.2.5rc1, and 2.3.x before 2.3.2 allows remote attackers to read arbitrary files or potentially execute arbitrary code via a crafted DTD in an XML request.",
  "id": "GHSA-5xxv-j4hw-gp2p",
  "modified": "2022-05-14T03:44:10Z",
  "published": "2022-05-14T03:44:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3005"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1110496"
    },
    {
      "type": "WEB",
      "url": "https://support.zabbix.com/browse/ZBX-8151"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20140622034155/http://www.pnigos.com:80/?p=273"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-June/134885.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-June/134909.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2014/Jun/87"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/68075"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6296-MVGP-27HP

Vulnerability from github – Published: 2022-07-08 00:00 – Updated: 2022-07-08 17:53
VLAI
Summary
XML External Entity Reference in Eclipse Lyo
Details

In Eclipse Lyo versions 1.0.0 to 4.1.0, a TransformerFactory is initialized with the defaults that do not restrict DTD loading when working with RDF/XML. This allows an attacker to cause an external DTD to be retrieved.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.1.0"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.lyo:lyo-parent"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "5.0.0.Final"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-41042"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-08T17:53:33Z",
    "nvd_published_at": "2022-07-07T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In Eclipse Lyo versions 1.0.0 to 4.1.0, a TransformerFactory is initialized with the defaults that do not restrict DTD loading when working with RDF/XML. This allows an attacker to cause an external DTD to be retrieved.",
  "id": "GHSA-6296-mvgp-27hp",
  "modified": "2022-07-08T17:53:33Z",
  "published": "2022-07-08T00:00:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41042"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse/lyo/commit/a8b15b7f49ca15e55f6699749c39705d21367c6e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse/lyo"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse/lyo/releases/tag/v5.0.0"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.eclipse.org/eclipsefdn/emo-team/emo/-/issues/287"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XML External Entity Reference in Eclipse Lyo"
}

GHSA-63JF-339P-RVPM

Vulnerability from github – Published: 2023-04-13 21:30 – Updated: 2024-04-04 03:27
VLAI
Details

All versions of Talend Data Catalog before 8.0-20230110 are potentially vulnerable to XML External Entity (XXE) attacks in the /MIMBWebServices/license endpoint of the remote harvesting server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-26263"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-13T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "All versions of Talend Data Catalog before 8.0-20230110 are potentially vulnerable to XML External Entity (XXE) attacks in the /MIMBWebServices/license endpoint of the remote harvesting server.",
  "id": "GHSA-63jf-339p-rvpm",
  "modified": "2024-04-04T03:27:24Z",
  "published": "2023-04-13T21:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26263"
    },
    {
      "type": "WEB",
      "url": "https://talend.com"
    },
    {
      "type": "WEB",
      "url": "https://www.talend.com/security/incident-response/#CVE-2023-26264"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.