Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1694 vulnerabilities reference this CWE, most recent first.

GHSA-P65P-H8XW-F45X

Vulnerability from github – Published: 2024-03-28 15:30 – Updated: 2024-03-28 15:30
VLAI
Details

In JetBrains TeamCity before 2024.03 xXE was possible in the Maven build steps detector

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-31139"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-28T15:15:48Z",
    "severity": "MODERATE"
  },
  "details": "In JetBrains TeamCity before 2024.03 xXE was possible in the Maven build steps detector",
  "id": "GHSA-p65p-h8xw-f45x",
  "modified": "2024-03-28T15:30:34Z",
  "published": "2024-03-28T15:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31139"
    },
    {
      "type": "WEB",
      "url": "https://www.jetbrains.com/privacy-security/issues-fixed"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P674-HH8X-RV5H

Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2023-10-27 15:00
VLAI
Summary
XML external entity vulnerability in Jenkins Nuget Plugin
Details

Jenkins Nuget Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This XML parser is used for the \"Build on NuGet updates\" feature.

This allows attackers with the ability to control the contents of the packages.config file in a workspace to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Jenkins Nuget Plugin 1.1 disables external entity resolution for its XML parser.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:nuget"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21658"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-07T23:54:54Z",
    "nvd_published_at": "2021-05-25T17:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Jenkins Nuget Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This XML parser is used for the \\\"Build on NuGet updates\\\" feature.\n\nThis allows attackers with the ability to control the contents of the `packages.config` file in a workspace to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.\n\nJenkins Nuget Plugin 1.1 disables external entity resolution for its XML parser.",
  "id": "GHSA-p674-hh8x-rv5h",
  "modified": "2023-10-27T15:00:45Z",
  "published": "2022-05-24T19:03:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21658"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/nuget-plugin/commit/542bf38ac52f045741a5670e1644af351878f7e0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/nuget-plugin/commit/c8ed4cb5b1c42f3c407f9f418b4e0b4274bea5a9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/nuget-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2021-05-25/#SECURITY-2340"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/05/25/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XML external entity vulnerability in Jenkins Nuget Plugin"
}

GHSA-P6C5-737R-2R93

Vulnerability from github – Published: 2022-05-24 17:27 – Updated: 2022-12-20 22:39
VLAI
Summary
XXE vulnerability in Jenkins Klocwork Analysis Plugin
Details

Klocwork Analysis Plugin 2020.2.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows a user able to control the input files for the Klocwork plugin parser to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2020.2.1"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:klocwork"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2020.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-2247"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-20T22:39:05Z",
    "nvd_published_at": "2020-09-01T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "Klocwork Analysis Plugin 2020.2.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.\n\nThis allows a user able to control the input files for the Klocwork plugin parser to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.",
  "id": "GHSA-p6c5-737r-2r93",
  "modified": "2022-12-20T22:39:05Z",
  "published": "2022-05-24T17:27:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2247"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/klocwork-plugin"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2020-09-01/#SECURITY-1831"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/09/01/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XXE vulnerability in Jenkins Klocwork Analysis Plugin"
}

GHSA-P72F-5P6W-9JJP

Vulnerability from github – Published: 2022-05-13 01:10 – Updated: 2022-05-13 01:10
VLAI
Details

SAML 2.0 functionality in SAP NetWeaver AS Java, does not sufficiently validate XML documents received from an untrusted source. This is fixed in versions 7.2, 7.30, 7.31, 7.40 and 7.50.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-2492"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-12-11T22:29:00Z",
    "severity": "HIGH"
  },
  "details": "SAML 2.0 functionality in SAP NetWeaver AS Java, does not sufficiently validate XML documents received from an untrusted source. This is fixed in versions 7.2, 7.30, 7.31, 7.40 and 7.50.",
  "id": "GHSA-p72f-5p6w-9jjp",
  "modified": "2022-05-13T01:10:44Z",
  "published": "2022-05-13T01:10:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-2492"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.support.sap.com/#/notes/2642680"
    },
    {
      "type": "WEB",
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=508559699"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/106153"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P72G-PV48-7W9X

Vulnerability from github – Published: 2025-08-20 21:30 – Updated: 2025-11-05 20:40
VLAI
Summary
Apache Tika XXE Vulnerability via Crafted XFA File Inside a PDF
Details

Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger malicious requests to internal resources or third-party servers. Note that the tika-parser-pdf-module is used as a dependency in several Tika packages including at least: tika-parsers-standard-modules, tika-parsers-standard-package, tika-app, tika-grpc and tika-server-standard.

Users are recommended to upgrade to version 3.2.2, which fixes this issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tika:tika-parser-pdf-module"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.13"
            },
            {
              "fixed": "3.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tika:tika-parsers"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.13"
            },
            {
              "fixed": "2.0.0-ALPHA"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54988"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-21T14:36:27Z",
    "nvd_published_at": "2025-08-20T20:15:33Z",
    "severity": "CRITICAL"
  },
  "details": "Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger malicious requests to internal resources or third-party servers. Note that the tika-parser-pdf-module is used as a dependency in several Tika packages including at least: tika-parsers-standard-modules, tika-parsers-standard-package, tika-app, tika-grpc and tika-server-standard.\n\nUsers are recommended to upgrade to version 3.2.2, which fixes this issue.",
  "id": "GHSA-p72g-pv48-7w9x",
  "modified": "2025-11-05T20:40:56Z",
  "published": "2025-08-20T21:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54988"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/tika/pull/2291"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/tika/commit/2b52257304f4d3cde2b8463657380bdb936d9ef2"
    },
    {
      "type": "WEB",
      "url": "https://archive.apache.org/dist/tika/3.2.2/CHANGES-3.2.2.txt"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/tika"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/jira/browse/TIKA-4459"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/8xn3rqy6kz5b3l1t83kcofkw0w4mmj1w"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/stn9oh7rfn9yv76n1srxr9w56oy04p72"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00030.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/08/20/2"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/08/20/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Apache Tika XXE Vulnerability via Crafted XFA File Inside a PDF"
}

GHSA-P7JF-PRFR-4V7Q

Vulnerability from github – Published: 2022-05-13 01:02 – Updated: 2022-05-13 01:02
VLAI
Details

An exploitable unauthenticated XML external injection vulnerability was identified in FocalScope v2416. A unauthenticated attacker could submit a specially crafted web request to FocalScope's server that could cause an XXE, and potentially result in data compromise.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-3881"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-08-01T20:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "An exploitable unauthenticated XML external injection vulnerability was identified in FocalScope v2416. A unauthenticated attacker could submit a specially crafted web request to FocalScope\u0027s server that could cause an XXE, and potentially result in data compromise.",
  "id": "GHSA-p7jf-prfr-4v7q",
  "modified": "2022-05-13T01:02:02Z",
  "published": "2022-05-13T01:02:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3881"
    },
    {
      "type": "WEB",
      "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0559"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P8CC-4954-R7HW

Vulnerability from github – Published: 2022-05-17 00:19 – Updated: 2025-04-20 03:44
VLAI
Details

XXE in Diving Log 6.0 allows attackers to remotely view local files through a crafted dive.xml file that is mishandled during a Subsurface import.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-9095"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-09-08T10:29:00Z",
    "severity": "MODERATE"
  },
  "details": "XXE in Diving Log 6.0 allows attackers to remotely view local files through a crafted dive.xml file that is mishandled during a Subsurface import.",
  "id": "GHSA-p8cc-4954-r7hw",
  "modified": "2025-04-20T03:44:29Z",
  "published": "2022-05-17T00:19:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9095"
    },
    {
      "type": "WEB",
      "url": "https://thenopsled.com/divinglog.txt"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/43187"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P8MG-76FJ-RC53

Vulnerability from github – Published: 2023-02-03 00:30 – Updated: 2023-02-09 03:30
VLAI
Details

IBM Tivoli Workload Scheduler 9.4, 9.5, and 10.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 226328.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-22486"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-03T00:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "IBM Tivoli Workload Scheduler 9.4, 9.5, and 10.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 226328.",
  "id": "GHSA-p8mg-76fj-rc53",
  "modified": "2023-02-09T03:30:18Z",
  "published": "2023-02-03T00:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22486"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/226328"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6890697"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P99P-726H-C8V5

Vulnerability from github – Published: 2018-10-19 16:42 – Updated: 2022-09-14 19:12
VLAI
Summary
Apache juddi-client vulnerable to XML External Entity (XXE)
Details

In Apache jUDDI 3.2 through 3.3.4, if using the WADL2Java or WSDL2Java classes, which parse a local or remote XML document and then mediates the data structures into UDDI data structures, there are little protections present against entity expansion and DTD type of attacks. Mitigation is to use 3.3.5.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.juddi:juddi-client"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.2"
            },
            {
              "fixed": "3.3.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-1307"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:48:42Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "In Apache jUDDI 3.2 through 3.3.4, if using the WADL2Java or WSDL2Java classes, which parse a local or remote XML document and then mediates the data structures into UDDI data structures, there are little protections present against entity expansion and DTD type of attacks. Mitigation is to use 3.3.5.",
  "id": "GHSA-p99p-726h-c8v5",
  "modified": "2022-09-14T19:12:48Z",
  "published": "2018-10-19T16:42:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1307"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-p99p-726h-c8v5"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/jira/browse/JUDDI-987"
    },
    {
      "type": "WEB",
      "url": "http://juddi.apache.org/security.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache juddi-client vulnerable to XML External Entity (XXE)"
}

GHSA-P9J3-8MPG-P3PF

Vulnerability from github – Published: 2022-04-01 00:00 – Updated: 2022-04-07 00:00
VLAI
Details

The "Register an Ehcache Configuration File" admin feature in MashZone NextGen through 10.7 GA allows XXE attacks via a malicious XML configuration file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-33208"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-30T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "The \"Register an Ehcache Configuration File\" admin feature in MashZone NextGen through 10.7 GA allows XXE attacks via a malicious XML configuration file.",
  "id": "GHSA-p9j3-8mpg-p3pf",
  "modified": "2022-04-07T00:00:29Z",
  "published": "2022-04-01T00:00:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33208"
    },
    {
      "type": "WEB",
      "url": "https://github.com/blackarrowsec/advisories/tree/master/2021/CVE-2021-33208"
    },
    {
      "type": "WEB",
      "url": "https://www.softwareag.com/corporate/products/az/mashzone_nextgen/default"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.