CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1694 vulnerabilities reference this CWE, most recent first.
GHSA-687X-269M-7CV9
Vulnerability from github – Published: 2022-05-14 03:46 – Updated: 2024-01-30 22:36Jenkins PMD Plugin 3.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.49"
},
"package": {
"ecosystem": "Maven",
"name": "org.jvnet.hudson.plugins:pmd"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.50"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-1000008"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-30T22:36:26Z",
"nvd_published_at": "2018-01-23T14:29:00Z",
"severity": "HIGH"
},
"details": "Jenkins PMD Plugin 3.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.",
"id": "GHSA-687x-269m-7cv9",
"modified": "2024-01-30T22:36:26Z",
"published": "2022-05-14T03:46:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000008"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2018-01-22"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/102844"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "XXE vulnerability in Jenkins PMD Plugin"
}
GHSA-689X-4MP2-JFFR
Vulnerability from github – Published: 2022-05-13 01:32 – Updated: 2022-05-13 01:32SAP Business Process Automation (BPA) By Redwood does not sufficiently validate an XML document accepted from an untrusted source resulting in an XML External Entity (XXE) vulnerability.
{
"affected": [],
"aliases": [
"CVE-2018-2401"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-03-14T19:29:00Z",
"severity": "HIGH"
},
"details": "SAP Business Process Automation (BPA) By Redwood does not sufficiently validate an XML document accepted from an untrusted source resulting in an XML External Entity (XXE) vulnerability.",
"id": "GHSA-689x-4mp2-jffr",
"modified": "2022-05-13T01:32:23Z",
"published": "2022-05-13T01:32:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-2401"
},
{
"type": "WEB",
"url": "https://blogs.sap.com/2018/03/13/sap-security-patch-day-march-2018"
},
{
"type": "WEB",
"url": "https://launchpad.support.sap.com/#/notes/2596766"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/103374"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-68HQ-QRC4-W5H8
Vulnerability from github – Published: 2022-05-14 01:42 – Updated: 2022-05-14 01:42K9Mail version <= v5.600 contains a XML External Entity (XXE) vulnerability in WebDAV response parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via malicious WebDAV server or intercept the reponse of a valid WebDAV server.
{
"affected": [],
"aliases": [
"CVE-2018-1000831"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-20T15:29:00Z",
"severity": "CRITICAL"
},
"details": "K9Mail version \u003c= v5.600 contains a XML External Entity (XXE) vulnerability in WebDAV response parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via malicious WebDAV server or intercept the reponse of a valid WebDAV server.",
"id": "GHSA-68hq-qrc4-w5h8",
"modified": "2022-05-14T01:42:26Z",
"published": "2022-05-14T01:42:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000831"
},
{
"type": "WEB",
"url": "https://github.com/k9mail/k-9/issues/3681"
},
{
"type": "WEB",
"url": "https://0dd.zone/2018/10/28/k9mail-XXE-MitM"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-68J8-FP38-P48Q
Vulnerability from github – Published: 2024-09-19 14:49 – Updated: 2024-09-20 14:52Impact
The profile location routine in the referencevalidator commons package is vulnerable to XML External Entities attack due to insecure defaults of the used Woodstox WstxInputFactory. A malicious XML resource can lead to network requests issued by referencevalidator and thus to a Server Side Request Forgery attack.
The vulnerability impacts applications which use referencevalidator to process XML resources from untrusted sources.
Patches
The problem has been patched with the 2.5.1 version of the referencevalidator. Users are strongly recommended to update to this version or a more recent one.
Workarounds
A pre-processing or manual analysis of input XML resources on existence of DTD definitions or external entities can mitigate the problem.
References
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "de.gematik.refv.commons:commons"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-46984"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-19T14:49:40Z",
"nvd_published_at": "2024-09-19T23:15:12Z",
"severity": "HIGH"
},
"details": "### Impact\nThe profile location routine in the referencevalidator commons package is vulnerable to [XML External Entities](https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)) attack due to insecure defaults of the used Woodstox WstxInputFactory. A malicious XML resource can lead to network requests issued by referencevalidator and thus to a [Server Side Request Forgery](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery) attack.\n\nThe vulnerability impacts applications which use referencevalidator to process XML resources from untrusted sources. \n\n### Patches\nThe problem has been patched with the [2.5.1 version](https://github.com/gematik/app-referencevalidator/releases/tag/2.5.1) of the referencevalidator. Users are strongly recommended to update to this version or a more recent one. \n\n### Workarounds\nA pre-processing or manual analysis of input XML resources on existence of DTD definitions or external entities can mitigate the problem.\n\n### References\n- [OWASP Top 10 XXE](https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)#)\n- [Server Side Request Forgery](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)\n- [OWASP XML External Entity Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#transformerfactory)",
"id": "GHSA-68j8-fp38-p48q",
"modified": "2024-09-20T14:52:32Z",
"published": "2024-09-19T14:49:40Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/gematik/app-referencevalidator/security/advisories/GHSA-68j8-fp38-p48q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46984"
},
{
"type": "WEB",
"url": "https://github.com/gematik/app-referencevalidator/commit/d6d27613fab7a8dd08534946f29e0c51f319cad6"
},
{
"type": "WEB",
"url": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#transformerfactory"
},
{
"type": "PACKAGE",
"url": "https://github.com/gematik/app-referencevalidator"
},
{
"type": "WEB",
"url": "https://github.com/gematik/app-referencevalidator/releases/tag/2.5.1"
},
{
"type": "WEB",
"url": "https://owasp.org/www-community/attacks/Server_Side_Request_Forgery"
},
{
"type": "WEB",
"url": "https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)"
},
{
"type": "WEB",
"url": "https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)#"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Gematik Referenzvalidator has an XXE vulnerability that can lead to a Server Side Request Forgery attack"
}
GHSA-6978-8W7H-MG7H
Vulnerability from github – Published: 2022-05-13 01:32 – Updated: 2022-05-13 01:32IBM App Connect V11.0.0.0 through V11.0.0.1, IBM Integration Bus V10.0.0.0 through V10.0.0.13, IBM Integration Bus V9.0.0.0 through V9.0.0.10, and WebSphere Message Broker V8.0.0.0 through V8.0.0.9 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to consume memory resources. IBM X-Force ID: 149639.
{
"affected": [],
"aliases": [
"CVE-2018-1801"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-02-04T21:29:00Z",
"severity": "MODERATE"
},
"details": "IBM App Connect V11.0.0.0 through V11.0.0.1, IBM Integration Bus V10.0.0.0 through V10.0.0.13, IBM Integration Bus V9.0.0.0 through V9.0.0.10, and WebSphere Message Broker V8.0.0.0 through V8.0.0.9 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to consume memory resources. IBM X-Force ID: 149639.",
"id": "GHSA-6978-8w7h-mg7h",
"modified": "2022-05-13T01:32:37Z",
"published": "2022-05-13T01:32:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1801"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/149639"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=ibm10795780"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-69CM-22PH-XRR5
Vulnerability from github – Published: 2022-05-24 16:53 – Updated: 2024-04-04 01:39A denial of service vulnerability exists when the XmlLite runtime (XmlLite.dll) improperly parses XML input, aka 'XmlLite Runtime Denial of Service Vulnerability'.
{
"affected": [],
"aliases": [
"CVE-2019-1187"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-14T21:15:00Z",
"severity": "HIGH"
},
"details": "A denial of service vulnerability exists when the XmlLite runtime (XmlLite.dll) improperly parses XML input, aka \u0027XmlLite Runtime Denial of Service Vulnerability\u0027.",
"id": "GHSA-69cm-22ph-xrr5",
"modified": "2024-04-04T01:39:20Z",
"published": "2022-05-24T16:53:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1187"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1187"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-69CW-Q85Q-XVFH
Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-05-24 19:11The WHM Locale Upload feature in cPanel before 98.0.1 allows XXE attacks (SEC-585).
{
"affected": [],
"aliases": [
"CVE-2021-38584"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-11T23:15:00Z",
"severity": "HIGH"
},
"details": "The WHM Locale Upload feature in cPanel before 98.0.1 allows XXE attacks (SEC-585).",
"id": "GHSA-69cw-q85q-xvfh",
"modified": "2022-05-24T19:11:00Z",
"published": "2022-05-24T19:11:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38584"
},
{
"type": "WEB",
"url": "https://docs.cpanel.net/changelogs/98-change-log"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-6C2P-RQX3-W4PX
Vulnerability from github – Published: 2024-12-23 18:30 – Updated: 2025-02-28 15:30In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting "checked"). This makes classic XXE attacks possible.
{
"affected": [],
"aliases": [
"CVE-2024-40896"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-23T17:15:08Z",
"severity": "CRITICAL"
},
"details": "In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting \"checked\"). This makes classic XXE attacks possible.",
"id": "GHSA-6c2p-rqx3-w4px",
"modified": "2025-02-28T15:30:59Z",
"published": "2024-12-23T18:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40896"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/libxml2/-/commit/1a8932303969907f6572b1b6aac4081c56adb5c6"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/761"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20250228-0004"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6C2V-98PF-9VGR
Vulnerability from github – Published: 2025-08-08 18:32 – Updated: 2025-08-08 18:32In Xerox FreeFlow Core version 8.0.4, improper handling of XML input allows injection of external entities. An attacker can craft malicious XML containing references to internal URLs, this results in a Server-Side Request Forgery (SSRF).
{
"affected": [],
"aliases": [
"CVE-2025-8355"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-08T16:15:27Z",
"severity": "HIGH"
},
"details": "In Xerox FreeFlow Core version 8.0.4, improper handling of XML input allows injection of external entities. An attacker can craft malicious XML containing references to internal URLs, this results in a Server-Side Request Forgery (SSRF).",
"id": "GHSA-6c2v-98pf-9vgr",
"modified": "2025-08-08T18:32:22Z",
"published": "2025-08-08T18:32:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8355"
},
{
"type": "WEB",
"url": "https://securitydocs.business.xerox.com/wp-content/uploads/2025/08/Xerox-Security-Bulletin-025-013-for-Freeflow-Core-8.0.5.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6C4G-2QW2-MFFH
Vulnerability from github – Published: 2022-05-14 01:36 – Updated: 2022-05-14 01:36Processing Foundation Processing version 3.4 and earlier contains a XML External Entity (XXE) vulnerability in loadXML() function that can result in An attacker can read arbitrary files and exfiltrate their contents via HTTP requests. This attack appear to be exploitable via The victim must use Processing to parse a crafted XML document.
{
"affected": [],
"aliases": [
"CVE-2018-1000840"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-20T15:29:00Z",
"severity": "MODERATE"
},
"details": "Processing Foundation Processing version 3.4 and earlier contains a XML External Entity (XXE) vulnerability in loadXML() function that can result in An attacker can read arbitrary files and exfiltrate their contents via HTTP requests. This attack appear to be exploitable via The victim must use Processing to parse a crafted XML document.",
"id": "GHSA-6c4g-2qw2-mffh",
"modified": "2022-05-14T01:36:13Z",
"published": "2022-05-14T01:36:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000840"
},
{
"type": "WEB",
"url": "https://github.com/processing/processing/issues/5706"
},
{
"type": "WEB",
"url": "https://twitter.com/ben_fry/status/1054333613465059329"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.