CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1694 vulnerabilities reference this CWE, most recent first.
GHSA-6CMX-5PQJ-8H85
Vulnerability from github – Published: 2023-03-14 06:30 – Updated: 2023-03-21 18:30SAP NetWeaver allows (SAP Enterprise Portal) - version 7.50, allows an authenticated attacker with sufficient privileges to access the XML parser which can submit a crafted XML file which when parsed will enable them to access but not modify sensitive files and data. It allows the attacker to view sensitive data which is owned by certain privileges.
{
"affected": [],
"aliases": [
"CVE-2023-26461"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-14T05:15:00Z",
"severity": "MODERATE"
},
"details": "SAP NetWeaver allows (SAP Enterprise Portal) - version 7.50, allows an authenticated attacker with sufficient privileges to access the XML parser which can submit a crafted XML file which when parsed will enable them to access but not modify sensitive files and data. It allows the attacker to view sensitive data which is owned by certain privileges.",
"id": "GHSA-6cmx-5pqj-8h85",
"modified": "2023-03-21T18:30:20Z",
"published": "2023-03-14T06:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26461"
},
{
"type": "WEB",
"url": "https://launchpad.support.sap.com/#/notes/3284550"
},
{
"type": "WEB",
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6CPJ-3G83-Q2J4
Vulnerability from github – Published: 2022-05-17 04:50 – Updated: 2022-07-12 21:32The (1) UpdateRequestHandler for XSLT or (2) XPathEntityProcessor in Apache Solr before 4.1 allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, different vectors than CVE-2013-6407.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.solr:solr-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2012-6612"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-12T21:32:13Z",
"nvd_published_at": "2013-12-07T21:55:00Z",
"severity": "HIGH"
},
"details": "The (1) UpdateRequestHandler for XSLT or (2) XPathEntityProcessor in Apache Solr before 4.1 allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, different vectors than CVE-2013-6407.",
"id": "GHSA-6cpj-3g83-q2j4",
"modified": "2022-07-12T21:32:13Z",
"published": "2022-05-17T04:50:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-6612"
},
{
"type": "WEB",
"url": "https://github.com/apache/lucene-solr/commit/0d21b900975b7048d2e925d852aeacb9bdc6766c"
},
{
"type": "WEB",
"url": "https://github.com/apache/lucene-solr/commit/f230486ce6707762c1a6e81655d0fac52887906d"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/lucene-solr"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/SOLR-3895"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1844.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0029.html"
},
{
"type": "WEB",
"url": "http://svn.apache.org/viewvc/lucene/dev/branches/branch_4x/solr/CHANGES.txt?view=markup"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Improper Restriction of XML External Entity Reference in Apache Solr"
}
GHSA-6CR6-PH3P-F5RF
Vulnerability from github – Published: 2024-09-06 19:45 – Updated: 2024-09-06 19:45Impact
XSLT transforms performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( <!DOCTYPE foo [<!ENTITY example SYSTEM "/etc/passwd"> ]> could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML.
Patches
This issue has been patched in release 6.3.23
Workarounds
None.
References
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "ca.uhn.hapi.fhir:org.hl7.fhir.dstu2016may"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.3.23"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "ca.uhn.hapi.fhir:org.hl7.fhir.dstu3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.3.23"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "ca.uhn.hapi.fhir:org.hl7.fhir.r4"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.3.23"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "ca.uhn.hapi.fhir:org.hl7.fhir.r4b"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.3.23"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "ca.uhn.hapi.fhir:org.hl7.fhir.r5"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.3.23"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "ca.uhn.hapi.fhir:org.hl7.fhir.utilities"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.3.23"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-45294"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-06T19:45:27Z",
"nvd_published_at": "2024-09-06T16:15:03Z",
"severity": "HIGH"
},
"details": "### Impact\nXSLT transforms performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( `\u003c!DOCTYPE foo [\u003c!ENTITY example SYSTEM \"/etc/passwd\"\u003e ]\u003e` could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML.\n\n### Patches\nThis issue has been patched in release 6.3.23\n\n### Workarounds\nNone.\n\n### References\n[MITRE CWE](https://cwe.mitre.org/data/definitions/611.html)\n[OWASP XML External Entity Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#transformerfactory)\n",
"id": "GHSA-6cr6-ph3p-f5rf",
"modified": "2024-09-06T19:45:27Z",
"published": "2024-09-06T19:45:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/HL7/fhir-ig-publisher/security/advisories/GHSA-59rq-22fm-x8q5"
},
{
"type": "WEB",
"url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-6cr6-ph3p-f5rf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45294"
},
{
"type": "WEB",
"url": "https://github.com/HL7/fhir-ig-publisher/releases/tag/1.6.22"
},
{
"type": "PACKAGE",
"url": "https://github.com/hapifhir/org.hl7.fhir.core"
},
{
"type": "WEB",
"url": "https://github.com/hapifhir/org.hl7.fhir.core/releases/tag/6.3.23"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "XXE vulnerability in XSLT transforms in `org.hl7.fhir.core`"
}
GHSA-6FHJ-VR9J-G45R
Vulnerability from github – Published: 2025-11-10 21:04 – Updated: 2025-11-15 02:46Impact
The XML Validator used by cyclonedx-core-java was not configured securely, making the library vulnerable to XML External Entity (XXE) injection.
The fix for GHSA-683x-4444-jxh8 / CVE-2024-38374 has been incomplete in that it only fixed parsing of XML BOMs, but not validation.
Patches
The vulnerability has been fixed in cyclonedx-core-java version 11.0.1.
Workarounds
If feasible, applications can reject XML documents before handing them to cyclonedx-core-java for validation. This may be an option if incoming CycloneDX BOMs are known to be in JSON format.
References
- The issue was introduced via https://github.com/CycloneDX/cyclonedx-core-java/commit/162aa594f347b3f612fe0a45071693c3cd398ce9
- The issue was fixed via https://github.com/CycloneDX/cyclonedx-core-java/pull/737
- https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#schemafactory
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.cyclonedx:cyclonedx-core-java"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.0"
},
{
"fixed": "11.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-64518"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-10T21:04:03Z",
"nvd_published_at": "2025-11-10T22:15:40Z",
"severity": "HIGH"
},
"details": "### Impact\n\nThe XML [`Validator`](https://docs.oracle.com/javase/8/docs/api/javax/xml/validation/Validator.html) used by cyclonedx-core-java was not configured securely, making the library vulnerable to XML External Entity (XXE) injection.\n\nThe fix for GHSA-683x-4444-jxh8 / CVE-2024-38374 has been incomplete in that it only fixed *parsing* of XML BOMs, but not *validation*.\n\n### Patches\n\nThe vulnerability has been fixed in cyclonedx-core-java version 11.0.1.\n\n### Workarounds\n\nIf feasible, applications can reject XML documents before handing them to cyclonedx-core-java for validation.\nThis may be an option if incoming CycloneDX BOMs are known to be in JSON format.\n\n### References\n\n* The issue was introduced via https://github.com/CycloneDX/cyclonedx-core-java/commit/162aa594f347b3f612fe0a45071693c3cd398ce9\n* The issue was fixed via https://github.com/CycloneDX/cyclonedx-core-java/pull/737\n* https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#schemafactory",
"id": "GHSA-6fhj-vr9j-g45r",
"modified": "2025-11-15T02:46:38Z",
"published": "2025-11-10T21:04:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/CycloneDX/cyclonedx-core-java/security/advisories/GHSA-6fhj-vr9j-g45r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64518"
},
{
"type": "WEB",
"url": "https://github.com/CycloneDX/cyclonedx-core-java/pull/737"
},
{
"type": "WEB",
"url": "https://github.com/CycloneDX/cyclonedx-core-java/commit/162aa594f347b3f612fe0a45071693c3cd398ce9"
},
{
"type": "WEB",
"url": "https://github.com/CycloneDX/cyclonedx-core-java/commit/af0ec75c93c03f93733a070c5132554490af5314"
},
{
"type": "WEB",
"url": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#schemafactory"
},
{
"type": "PACKAGE",
"url": "https://github.com/CycloneDX/cyclonedx-core-java"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "CycloneDX Core (Java): BOM validation is vulnerable to XML External Entity injection "
}
GHSA-6FQM-3HX5-GMG3
Vulnerability from github – Published: 2022-05-14 02:59 – Updated: 2022-05-14 02:59XML external entity (XXE) vulnerability in java/org/jasig/cas/util/SamlUtils.java in Jasig CAS server before 3.4.12.1 and 3.5.x before 3.5.2.1, when Google Accounts Integration is enabled, allows remote unauthenticated users to bypass authentication via crafted XML data.
{
"affected": [],
"aliases": [
"CVE-2014-2296"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-20T17:29:00Z",
"severity": "HIGH"
},
"details": "XML external entity (XXE) vulnerability in java/org/jasig/cas/util/SamlUtils.java in Jasig CAS server before 3.4.12.1 and 3.5.x before 3.5.2.1, when Google Accounts Integration is enabled, allows remote unauthenticated users to bypass authentication via crafted XML data.",
"id": "GHSA-6fqm-3hx5-gmg3",
"modified": "2022-05-14T02:59:07Z",
"published": "2022-05-14T02:59:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-2296"
},
{
"type": "WEB",
"url": "https://vigilance.fr/vulnerability/Jasig-CAS-Server-bypassing-authentication-via-Google-Accounts-Integration-14512"
},
{
"type": "WEB",
"url": "http://jasig.275507.n4.nabble.com/CAS-3-5-2-1-and-3-4-12-1-Security-Releases-td4662444.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6FVX-R7HX-3VH6
Vulnerability from github – Published: 2018-10-17 18:28 – Updated: 2022-04-27 14:25JavaMelody before 1.74.0 has XXE via parseSoapMethodName in bull/javamelody/PayloadNameRequestWrapper.java.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "net.bull.javamelody:javamelody-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.74.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-15531"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:19:10Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "JavaMelody before 1.74.0 has XXE via parseSoapMethodName in bull/javamelody/PayloadNameRequestWrapper.java.",
"id": "GHSA-6fvx-r7hx-3vh6",
"modified": "2022-04-27T14:25:05Z",
"published": "2018-10-17T18:28:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15531"
},
{
"type": "WEB",
"url": "https://github.com/javamelody/javamelody/commit/ef111822562d0b9365bd3e671a75b65bd0613353"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-6fvx-r7hx-3vh6"
},
{
"type": "PACKAGE",
"url": "https://github.com/javamelody/javamelody"
},
{
"type": "WEB",
"url": "https://github.com/javamelody/javamelody/wiki/ReleaseNotes"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2018-09-25"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2018/09/25/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "JavaMelody has XXE via parseSoapMethodName in bull/javamelody/PayloadNameRequestWrapper.java."
}
GHSA-6G33-82GC-3PW5
Vulnerability from github – Published: 2022-05-17 00:34 – Updated: 2022-07-01 20:33During Jelly (xml) file parsing with Apache Xerces, if a custom doctype entity is declared with a "SYSTEM" entity with a URL and that entity is used in the body of the Jelly file, during parser instantiation the parser will attempt to connect to said URL. This could lead to XML External Entity (XXE) attacks in Apache Commons Jelly before 1.0.1.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.0"
},
"package": {
"ecosystem": "Maven",
"name": "commons-jelly:commons-jelly"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-12621"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-01T20:33:22Z",
"nvd_published_at": "2017-09-28T01:29:00Z",
"severity": "CRITICAL"
},
"details": "During Jelly (xml) file parsing with Apache Xerces, if a custom doctype entity is declared with a \"SYSTEM\" entity with a URL and that entity is used in the body of the Jelly file, during parser instantiation the parser will attempt to connect to said URL. This could lead to XML External Entity (XXE) attacks in Apache Commons Jelly before 1.0.1.",
"id": "GHSA-6g33-82gc-3pw5",
"modified": "2022-07-01T20:33:22Z",
"published": "2022-05-17T00:34:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12621"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/commons-jelly"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/JELLY-293"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/f1fc3f2c45264af44ce782d54b5908ac95f02bf7ad88bb57bfb04b73@%3Cdev.commons.apache.org%3E"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20200227144849/http://www.securityfocus.com/bid/101052"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20210303081618/http://www.securitytracker.com/id/1039444"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Improper Restriction of XML External Entity Reference in Jelly"
}
GHSA-6G49-F785-8862
Vulnerability from github – Published: 2023-02-16 21:30 – Updated: 2023-02-27 21:30An improper restriction of xml external entity reference in Fortinet FortiNAC version 9.4.0 through 9.4.1, FortiNAC version 9.2.0 through 9.2.7, FortiNAC version 9.1.0 through 9.1.8, FortiNAC version 8.8.0 through 8.8.11, FortiNAC version 8.7.0 through 8.7.6, FortiNAC version 8.6.0 through 8.6.5, FortiNAC version 8.5.0 through 8.5.4, FortiNAC version 8.3.7 allows attacker to read arbitrary files or trigger a denial of service via specifically crafted XML documents.
{
"affected": [],
"aliases": [
"CVE-2022-39954"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-16T19:15:00Z",
"severity": "CRITICAL"
},
"details": "An improper restriction of xml external entity reference in Fortinet FortiNAC version 9.4.0 through 9.4.1, FortiNAC version 9.2.0 through 9.2.7, FortiNAC version 9.1.0 through 9.1.8, FortiNAC version 8.8.0 through 8.8.11, FortiNAC version 8.7.0 through 8.7.6, FortiNAC version 8.6.0 through 8.6.5, FortiNAC version 8.5.0 through 8.5.4, FortiNAC version 8.3.7 allows attacker to read arbitrary files or trigger a denial of service via specifically crafted XML documents.",
"id": "GHSA-6g49-f785-8862",
"modified": "2023-02-27T21:30:34Z",
"published": "2023-02-16T21:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39954"
},
{
"type": "WEB",
"url": "https://fortiguard.com/psirt/FG-IR-22-304"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6GF8-CQW7-6G5F
Vulnerability from github – Published: 2022-05-13 01:34 – Updated: 2022-05-13 01:34A External Entity Reference ('XXE') vulnerability in SUSE Linux SMT allows remote attackers to read data from the server or cause DoS by referencing blocking elements. Affected releases are SUSE Linux SMT: versions prior to 3.0.37.
{
"affected": [],
"aliases": [
"CVE-2018-12471"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-10-04T14:29:00Z",
"severity": "HIGH"
},
"details": "A External Entity Reference (\u0027XXE\u0027) vulnerability in SUSE Linux SMT allows remote attackers to read data from the server or cause DoS by referencing blocking elements. Affected releases are SUSE Linux SMT: versions prior to 3.0.37.",
"id": "GHSA-6gf8-cqw7-6g5f",
"modified": "2022-05-13T01:34:46Z",
"published": "2022-05-13T01:34:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12471"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1103809"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6HC6-87CM-6QCJ
Vulnerability from github – Published: 2022-07-30 00:00 – Updated: 2022-08-06 00:00An attacker can force the victim’s device to perform arbitrary HTTP requests in WAN through a malicious SVG file being parsed by Autodesk Fusion 360’s document parser. The vulnerability exists in the application’s ‘Insert SVG’ procedure. An attacker can also leverage this vulnerability to obtain victim’s public IP and possibly other sensitive information.
{
"affected": [],
"aliases": [
"CVE-2022-27873"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-29T16:15:00Z",
"severity": "HIGH"
},
"details": "An attacker can force the victim\u2019s device to perform arbitrary HTTP requests in WAN through a malicious SVG file being parsed by Autodesk Fusion 360\u2019s document parser. The vulnerability exists in the application\u2019s \u2018Insert SVG\u2019 procedure. An attacker can also leverage this vulnerability to obtain victim\u2019s public IP and possibly other sensitive information.",
"id": "GHSA-6hc6-87cm-6qcj",
"modified": "2022-08-06T00:00:37Z",
"published": "2022-07-30T00:00:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27873"
},
{
"type": "WEB",
"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2022-0013"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.