Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1694 vulnerabilities reference this CWE, most recent first.

GHSA-687X-269M-7CV9

Vulnerability from github – Published: 2022-05-14 03:46 – Updated: 2024-01-30 22:36
VLAI
Summary
XXE vulnerability in Jenkins PMD Plugin
Details

Jenkins PMD Plugin 3.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.49"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jvnet.hudson.plugins:pmd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.50"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-1000008"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-30T22:36:26Z",
    "nvd_published_at": "2018-01-23T14:29:00Z",
    "severity": "HIGH"
  },
  "details": "Jenkins PMD Plugin 3.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.",
  "id": "GHSA-687x-269m-7cv9",
  "modified": "2024-01-30T22:36:26Z",
  "published": "2022-05-14T03:46:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000008"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2018-01-22"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/102844"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XXE vulnerability in Jenkins PMD Plugin"
}

GHSA-689X-4MP2-JFFR

Vulnerability from github – Published: 2022-05-13 01:32 – Updated: 2022-05-13 01:32
VLAI
Details

SAP Business Process Automation (BPA) By Redwood does not sufficiently validate an XML document accepted from an untrusted source resulting in an XML External Entity (XXE) vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-2401"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-03-14T19:29:00Z",
    "severity": "HIGH"
  },
  "details": "SAP Business Process Automation (BPA) By Redwood does not sufficiently validate an XML document accepted from an untrusted source resulting in an XML External Entity (XXE) vulnerability.",
  "id": "GHSA-689x-4mp2-jffr",
  "modified": "2022-05-13T01:32:23Z",
  "published": "2022-05-13T01:32:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-2401"
    },
    {
      "type": "WEB",
      "url": "https://blogs.sap.com/2018/03/13/sap-security-patch-day-march-2018"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.support.sap.com/#/notes/2596766"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/103374"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-68HQ-QRC4-W5H8

Vulnerability from github – Published: 2022-05-14 01:42 – Updated: 2022-05-14 01:42
VLAI
Details

K9Mail version <= v5.600 contains a XML External Entity (XXE) vulnerability in WebDAV response parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via malicious WebDAV server or intercept the reponse of a valid WebDAV server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-1000831"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-12-20T15:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "K9Mail version \u003c= v5.600 contains a XML External Entity (XXE) vulnerability in WebDAV response parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via malicious WebDAV server or intercept the reponse of a valid WebDAV server.",
  "id": "GHSA-68hq-qrc4-w5h8",
  "modified": "2022-05-14T01:42:26Z",
  "published": "2022-05-14T01:42:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000831"
    },
    {
      "type": "WEB",
      "url": "https://github.com/k9mail/k-9/issues/3681"
    },
    {
      "type": "WEB",
      "url": "https://0dd.zone/2018/10/28/k9mail-XXE-MitM"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-68J8-FP38-P48Q

Vulnerability from github – Published: 2024-09-19 14:49 – Updated: 2024-09-20 14:52
VLAI
Summary
Gematik Referenzvalidator has an XXE vulnerability that can lead to a Server Side Request Forgery attack
Details

Impact

The profile location routine in the referencevalidator commons package is vulnerable to XML External Entities attack due to insecure defaults of the used Woodstox WstxInputFactory. A malicious XML resource can lead to network requests issued by referencevalidator and thus to a Server Side Request Forgery attack.

The vulnerability impacts applications which use referencevalidator to process XML resources from untrusted sources.

Patches

The problem has been patched with the 2.5.1 version of the referencevalidator. Users are strongly recommended to update to this version or a more recent one.

Workarounds

A pre-processing or manual analysis of input XML resources on existence of DTD definitions or external entities can mitigate the problem.

References

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "de.gematik.refv.commons:commons"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-46984"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-19T14:49:40Z",
    "nvd_published_at": "2024-09-19T23:15:12Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nThe profile location routine in the referencevalidator commons package is vulnerable to [XML External Entities](https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)) attack due to insecure defaults of the used Woodstox WstxInputFactory. A malicious XML resource can lead to network requests issued by referencevalidator and thus to a [Server Side Request Forgery](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery) attack.\n\nThe vulnerability impacts applications which use referencevalidator to process XML resources from untrusted sources. \n\n### Patches\nThe problem has been patched with the [2.5.1 version](https://github.com/gematik/app-referencevalidator/releases/tag/2.5.1) of the referencevalidator. Users are strongly recommended to update to this version or a more recent one. \n\n### Workarounds\nA pre-processing or manual analysis of input XML resources on existence of DTD definitions or external entities can mitigate the problem.\n\n### References\n- [OWASP Top 10 XXE](https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)#)\n- [Server Side Request Forgery](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)\n- [OWASP XML External Entity Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#transformerfactory)",
  "id": "GHSA-68j8-fp38-p48q",
  "modified": "2024-09-20T14:52:32Z",
  "published": "2024-09-19T14:49:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gematik/app-referencevalidator/security/advisories/GHSA-68j8-fp38-p48q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46984"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gematik/app-referencevalidator/commit/d6d27613fab7a8dd08534946f29e0c51f319cad6"
    },
    {
      "type": "WEB",
      "url": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#transformerfactory"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gematik/app-referencevalidator"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gematik/app-referencevalidator/releases/tag/2.5.1"
    },
    {
      "type": "WEB",
      "url": "https://owasp.org/www-community/attacks/Server_Side_Request_Forgery"
    },
    {
      "type": "WEB",
      "url": "https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)"
    },
    {
      "type": "WEB",
      "url": "https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)#"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Gematik Referenzvalidator has an XXE vulnerability that can lead to a Server Side Request Forgery attack"
}

GHSA-6978-8W7H-MG7H

Vulnerability from github – Published: 2022-05-13 01:32 – Updated: 2022-05-13 01:32
VLAI
Details

IBM App Connect V11.0.0.0 through V11.0.0.1, IBM Integration Bus V10.0.0.0 through V10.0.0.13, IBM Integration Bus V9.0.0.0 through V9.0.0.10, and WebSphere Message Broker V8.0.0.0 through V8.0.0.9 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to consume memory resources. IBM X-Force ID: 149639.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-1801"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-02-04T21:29:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM App Connect V11.0.0.0 through V11.0.0.1, IBM Integration Bus V10.0.0.0 through V10.0.0.13, IBM Integration Bus V9.0.0.0 through V9.0.0.10, and WebSphere Message Broker V8.0.0.0 through V8.0.0.9 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to consume memory resources. IBM X-Force ID: 149639.",
  "id": "GHSA-6978-8w7h-mg7h",
  "modified": "2022-05-13T01:32:37Z",
  "published": "2022-05-13T01:32:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1801"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/149639"
    },
    {
      "type": "WEB",
      "url": "http://www.ibm.com/support/docview.wss?uid=ibm10795780"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-69CM-22PH-XRR5

Vulnerability from github – Published: 2022-05-24 16:53 – Updated: 2024-04-04 01:39
VLAI
Details

A denial of service vulnerability exists when the XmlLite runtime (XmlLite.dll) improperly parses XML input, aka 'XmlLite Runtime Denial of Service Vulnerability'.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-1187"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-08-14T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "A denial of service vulnerability exists when the XmlLite runtime (XmlLite.dll) improperly parses XML input, aka \u0027XmlLite Runtime Denial of Service Vulnerability\u0027.",
  "id": "GHSA-69cm-22ph-xrr5",
  "modified": "2024-04-04T01:39:20Z",
  "published": "2022-05-24T16:53:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1187"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1187"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-69CW-Q85Q-XVFH

Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-05-24 19:11
VLAI
Details

The WHM Locale Upload feature in cPanel before 98.0.1 allows XXE attacks (SEC-585).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-38584"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-11T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "The WHM Locale Upload feature in cPanel before 98.0.1 allows XXE attacks (SEC-585).",
  "id": "GHSA-69cw-q85q-xvfh",
  "modified": "2022-05-24T19:11:00Z",
  "published": "2022-05-24T19:11:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38584"
    },
    {
      "type": "WEB",
      "url": "https://docs.cpanel.net/changelogs/98-change-log"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-6C2P-RQX3-W4PX

Vulnerability from github – Published: 2024-12-23 18:30 – Updated: 2025-02-28 15:30
VLAI
Details

In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting "checked"). This makes classic XXE attacks possible.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-40896"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-23T17:15:08Z",
    "severity": "CRITICAL"
  },
  "details": "In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting \"checked\"). This makes classic XXE attacks possible.",
  "id": "GHSA-6c2p-rqx3-w4px",
  "modified": "2025-02-28T15:30:59Z",
  "published": "2024-12-23T18:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40896"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.gnome.org/GNOME/libxml2/-/commit/1a8932303969907f6572b1b6aac4081c56adb5c6"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/761"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20250228-0004"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6C2V-98PF-9VGR

Vulnerability from github – Published: 2025-08-08 18:32 – Updated: 2025-08-08 18:32
VLAI
Details

In Xerox FreeFlow Core version 8.0.4, improper handling of XML input allows injection of external entities. An attacker can craft malicious XML containing references to internal URLs, this results in a Server-Side Request Forgery (SSRF).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-8355"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-08T16:15:27Z",
    "severity": "HIGH"
  },
  "details": "In Xerox FreeFlow Core version 8.0.4, improper handling of XML input allows injection of external entities. An attacker can craft malicious XML containing references to internal URLs, this results in a Server-Side Request Forgery (SSRF).",
  "id": "GHSA-6c2v-98pf-9vgr",
  "modified": "2025-08-08T18:32:22Z",
  "published": "2025-08-08T18:32:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8355"
    },
    {
      "type": "WEB",
      "url": "https://securitydocs.business.xerox.com/wp-content/uploads/2025/08/Xerox-Security-Bulletin-025-013-for-Freeflow-Core-8.0.5.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6C4G-2QW2-MFFH

Vulnerability from github – Published: 2022-05-14 01:36 – Updated: 2022-05-14 01:36
VLAI
Details

Processing Foundation Processing version 3.4 and earlier contains a XML External Entity (XXE) vulnerability in loadXML() function that can result in An attacker can read arbitrary files and exfiltrate their contents via HTTP requests. This attack appear to be exploitable via The victim must use Processing to parse a crafted XML document.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-1000840"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-12-20T15:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Processing Foundation Processing version 3.4 and earlier contains a XML External Entity (XXE) vulnerability in loadXML() function that can result in An attacker can read arbitrary files and exfiltrate their contents via HTTP requests. This attack appear to be exploitable via The victim must use Processing to parse a crafted XML document.",
  "id": "GHSA-6c4g-2qw2-mffh",
  "modified": "2022-05-14T01:36:13Z",
  "published": "2022-05-14T01:36:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000840"
    },
    {
      "type": "WEB",
      "url": "https://github.com/processing/processing/issues/5706"
    },
    {
      "type": "WEB",
      "url": "https://twitter.com/ben_fry/status/1054333613465059329"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.