Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1691 vulnerabilities reference this CWE, most recent first.

GHSA-RWQH-HFR8-59C3

Vulnerability from github – Published: 2022-05-17 00:25 – Updated: 2022-05-17 00:25
VLAI
Details

The getid3 library in MediaWiki before 1.24.1, 1.23.8, 1.22.15 and 1.19.23 allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack. NOTE: Related to CVE-2014-2053.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-9487"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-10-17T14:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "The getid3 library in MediaWiki before 1.24.1, 1.23.8, 1.22.15 and 1.19.23 allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.  NOTE: Related to CVE-2014-2053.",
  "id": "GHSA-rwqh-hfr8-59c3",
  "modified": "2022-05-17T00:25:34Z",
  "published": "2022-05-17T00:25:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9487"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1175828"
    },
    {
      "type": "WEB",
      "url": "https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-December/000173.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201502-04"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2015/01/03/13"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RX7G-4GVJ-H8M6

Vulnerability from github – Published: 2022-05-14 02:46 – Updated: 2025-04-20 03:32
VLAI
Details

XML external entity (XXE) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 before WSO2-CARBON-PATCH-4.4.0-0231 allows remote authenticated users with access to XACML features to read arbitrary files, cause a denial of service, conduct server-side request forgery (SSRF) attacks, or have unspecified other impact via a crafted XACML request to entitlement/eval-policy-submit.jsp. NOTE: this issue can be combined with CVE-2016-4311 to exploit the vulnerability without credentials.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-4312"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-02-17T02:59:00Z",
    "severity": "HIGH"
  },
  "details": "XML external entity (XXE) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 before WSO2-CARBON-PATCH-4.4.0-0231 allows remote authenticated users with access to XACML features to read arbitrary files, cause a denial of service, conduct server-side request forgery (SSRF) attacks, or have unspecified other impact via a crafted XACML request to entitlement/eval-policy-submit.jsp.  NOTE: this issue can be combined with CVE-2016-4311 to exploit the vulnerability without credentials.",
  "id": "GHSA-rx7g-4gvj-h8m6",
  "modified": "2025-04-20T03:32:58Z",
  "published": "2022-05-14T02:46:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4312"
    },
    {
      "type": "WEB",
      "url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2016-0096"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/40239"
    },
    {
      "type": "WEB",
      "url": "http://hyp3rlinx.altervista.org/advisories/WSO2-IDENTITY-SERVER-v5.1.0-XML-External-Entity.txt"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/138329/WSO2-Identity-Server-5.1.0-XML-Injection.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/539199/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/92485"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V232-254C-M6P7

Vulnerability from github – Published: 2025-03-10 18:29 – Updated: 2025-03-10 18:29
VLAI
Summary
LocalS3 Project Vulnerable to XML External Entity (XXE) Injection via Bucket Tagging API
Details

Description

The LocalS3 project, an S3-compatible storage service, is vulnerable to XML External Entity (XXE) injection through its bucket tagging API. The vulnerability exists because the application processes XML input without properly disabling external entity resolution.

When processing XML data for bucket tagging operations, the application allows the definition and resolution of external entities. This vulnerability allows an attacker to read arbitrary files from the server's filesystem by defining an external entity that references local files.

The vulnerability is particularly severe because it allows direct access to sensitive files on the server's filesystem, bypassing any intended access controls. The XXE vulnerability can be exploited to read any file that the application process has access to, potentially exposing sensitive configuration files, credentials, or other confidential information.

Steps to Reproduce

  1. Create a bucket in the LocalS3 service using any S3 client (e.g., AWS CLI, boto3)
  2. Send a PUT request to the bucket tagging endpoint with the following XML payload: ```xml

]> xxe&xxe; ```

```
curl -X PUT \
     -H "Host: app" \
     -H "Authorization: AWS dummy:dummy" \
     -H "Content-Type: application/xml" \
     --data-binary @xxe.xml \
     http://app/bucket?tagging
```
  1. Retrieve the bucket tags using a GET request to the same endpoint

    curl -H "Authorization: AWS dummy:dummy" http://app-1/bucket?tagging

  2. The content of the targeted file will be returned in the tag value

The successful exploitation of this vulnerability results in the contents of sensitive files being disclosed through the XML response, demonstrating the ability to read arbitrary files from the server's filesystem.

Mitigations

  • Disable XML external entity resolution in the XML parser configuration
  • Implement proper XML parsing security controls such as disabling DTD processing altogether
  • Use a safe parser configuration that doesn't process external entities or DTDs by default
  • Validate and sanitize all XML input before processing to prevent injection of malicious entities

Impact

Critical severity vulnerability allowing unauthenticated attackers to read arbitrary files from the server's filesystem. This can lead to exposure of sensitive information, configuration files, and system data, potentially enabling further attacks against the system. The impact is heightened by the fact that the vulnerability requires minimal technical knowledge to exploit and can be triggered through standard S3 API operations.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.github.robothy:local-s3-rest"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.21"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-10T18:29:27Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Description\nThe LocalS3 project, an S3-compatible storage service, is vulnerable to XML External Entity (XXE) injection through its bucket tagging API. The vulnerability exists because the application processes XML input without properly disabling external entity resolution.\n\nWhen processing XML data for bucket tagging operations, the application allows the definition and resolution of external entities. This vulnerability allows an attacker to read arbitrary files from the server\u0027s filesystem by defining an external entity that references local files.\n\nThe vulnerability is particularly severe because it allows direct access to sensitive files on the server\u0027s filesystem, bypassing any intended access controls. The XXE vulnerability can be exploited to read any file that the application process has access to, potentially exposing sensitive configuration files, credentials, or other confidential information.\n\n## Steps to Reproduce\n1. Create a bucket in the LocalS3 service using any S3 client (e.g., AWS CLI, boto3)\n2. Send a PUT request to the bucket tagging endpoint with the following XML payload:\n   ```xml\n   \u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n   \u003c!DOCTYPE data [\n       \u003c!ENTITY xxe SYSTEM \"file:///flag.txt\" \u003e\n   ]\u003e\n   \u003cTagging\u003e\u003cTagSet\u003e\u003cTag\u003e\u003cKey\u003exxe\u003c/Key\u003e\u003cValue\u003e\u0026xxe;\u003c/Value\u003e\u003c/Tag\u003e\u003c/TagSet\u003e\u003c/Tagging\u003e\n   ```\n\n    ```\n    curl -X PUT \\\n         -H \"Host: app\" \\\n         -H \"Authorization: AWS dummy:dummy\" \\\n         -H \"Content-Type: application/xml\" \\\n         --data-binary @xxe.xml \\\n         http://app/bucket?tagging\n    ```\n\n3. Retrieve the bucket tags using a GET request to the same endpoint\n\n    ```\n    curl -H \"Authorization: AWS dummy:dummy\" http://app-1/bucket?tagging\n    ```\n\n4. The content of the targeted file will be returned in the tag value\n\nThe successful exploitation of this vulnerability results in the contents of sensitive files being disclosed through the XML response, demonstrating the ability to read arbitrary files from the server\u0027s filesystem.\n\n## Mitigations\n- Disable XML external entity resolution in the XML parser configuration\n- Implement proper XML parsing security controls such as disabling DTD processing altogether\n- Use a safe parser configuration that doesn\u0027t process external entities or DTDs by default\n- Validate and sanitize all XML input before processing to prevent injection of malicious entities\n\n## Impact\nCritical severity vulnerability allowing unauthenticated attackers to read arbitrary files from the server\u0027s filesystem. This can lead to exposure of sensitive information, configuration files, and system data, potentially enabling further attacks against the system. The impact is heightened by the fact that the vulnerability requires minimal technical knowledge to exploit and can be triggered through standard S3 API operations.",
  "id": "GHSA-v232-254c-m6p7",
  "modified": "2025-03-10T18:29:27Z",
  "published": "2025-03-10T18:29:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Robothy/local-s3/security/advisories/GHSA-v232-254c-m6p7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Robothy/local-s3/commit/d6ed756ceb30c1eb9d4263321ac683d734f8836f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Robothy/local-s3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "LocalS3 Project Vulnerable to XML External Entity (XXE) Injection via Bucket Tagging API"
}

GHSA-V2H5-C2MM-JM6R

Vulnerability from github – Published: 2022-05-14 01:37 – Updated: 2022-05-14 01:37
VLAI
Details

S3 Browser before 8.1.5 contains an XML external entity (XXE) vulnerability, allowing remote attackers to read arbitrary files and obtain NTLMv2 hash values by tricking a user into connecting to a malicious server via the S3 protocol.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-20298"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-12-19T17:29:00Z",
    "severity": "MODERATE"
  },
  "details": "S3 Browser before 8.1.5 contains an XML external entity (XXE) vulnerability, allowing remote attackers to read arbitrary files and obtain NTLMv2 hash values by tricking a user into connecting to a malicious server via the S3 protocol.",
  "id": "GHSA-v2h5-c2mm-jm6r",
  "modified": "2022-05-14T01:37:00Z",
  "published": "2022-05-14T01:37:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20298"
    },
    {
      "type": "WEB",
      "url": "https://s3browser.com/news.aspx"
    },
    {
      "type": "WEB",
      "url": "https://www.ptsecurity.com/ww-en/analytics/threatscape/pt-2018-34"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V2HX-P2CQ-5WM5

Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2022-05-13 01:47
VLAI
Details

The Microsoft Common Console Document (.msc) in Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1 allows an attacker to read arbitrary files via an XML external entity (XXE) declaration, due to the way that the Microsoft Common Console Document (.msc) parses XML input containing a reference to an external entity, aka "Windows Information Disclosure Vulnerability".

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-8710"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-09-13T01:29:00Z",
    "severity": "MODERATE"
  },
  "details": "The Microsoft Common Console Document (.msc) in Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1 allows an attacker to read arbitrary files via an XML external entity (XXE) declaration, due to the way that the Microsoft Common Console Document (.msc) parses XML input containing a reference to an external entity, aka \"Windows Information Disclosure Vulnerability\".",
  "id": "GHSA-v2hx-p2cq-5wm5",
  "modified": "2022-05-13T01:47:41Z",
  "published": "2022-05-13T01:47:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8710"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8710"
    },
    {
      "type": "WEB",
      "url": "https://www.vulnerability-lab.com/get_content.php?id=2094"
    },
    {
      "type": "WEB",
      "url": "https://www.youtube.com/watch?v=bIFot3a-58I"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/100793"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1039325"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V2PP-7V4J-XG4G

Vulnerability from github – Published: 2023-10-27 21:30 – Updated: 2023-11-08 03:30
VLAI
Details

An issue was discovered in VERMEG AgileReporter 21.3. XXE can occur via an XML document to the Analysis component.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-34832"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-27T21:15:08Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in VERMEG AgileReporter 21.3. XXE can occur via an XML document to the Analysis component.",
  "id": "GHSA-v2pp-7v4j-xg4g",
  "modified": "2023-11-08T03:30:31Z",
  "published": "2023-10-27T21:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34832"
    },
    {
      "type": "WEB",
      "url": "https://crashpark.weebly.com/blog/xxe-in-agilereporter-213-by-vermeg"
    },
    {
      "type": "WEB",
      "url": "https://www.vermeg.com/agile-reporter"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V2XM-76PQ-PHCF

Vulnerability from github – Published: 2024-06-21 06:31 – Updated: 2024-06-21 15:06
VLAI
Summary
ClassGraph XML External Entity Reference
Details

ClassGraph before 4.8.112 was not resistant to XML eXternal Entity (XXE) attacks.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.github.classgraph:classgraph"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.8.112"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-47621"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-21T15:06:26Z",
    "nvd_published_at": "2024-06-21T06:15:10Z",
    "severity": "MODERATE"
  },
  "details": "ClassGraph before 4.8.112 was not resistant to XML eXternal Entity (XXE) attacks.",
  "id": "GHSA-v2xm-76pq-phcf",
  "modified": "2024-06-21T15:06:26Z",
  "published": "2024-06-21T06:31:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47621"
    },
    {
      "type": "WEB",
      "url": "https://github.com/classgraph/classgraph/pull/539"
    },
    {
      "type": "WEB",
      "url": "https://github.com/classgraph/classgraph/commit/681362ad6b0b9d9abaffb2e07099ce54d7a41fa3"
    },
    {
      "type": "WEB",
      "url": "https://docs.r3.com/en/platform/corda/4.8/enterprise/release-notes-enterprise.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/classgraph/classgraph"
    },
    {
      "type": "WEB",
      "url": "https://github.com/classgraph/classgraph/releases/tag/classgraph-4.8.112"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "ClassGraph XML External Entity Reference"
}

GHSA-V2XR-WHR4-9P35

Vulnerability from github – Published: 2025-07-21 18:32 – Updated: 2025-07-21 18:32
VLAI
Details

Dell AppSync, version(s) 4.6.0.0, contains an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information disclosure and Information tampering.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-36603"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-21T17:15:36Z",
    "severity": "MODERATE"
  },
  "details": "Dell AppSync, version(s) 4.6.0.0, contains an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information disclosure and Information tampering.",
  "id": "GHSA-v2xr-whr4-9p35",
  "modified": "2025-07-21T18:32:18Z",
  "published": "2025-07-21T18:32:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36603"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000345331/dsa-2025-277-security-update-for-dell-appsync-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V3PX-6VF7-C58J

Vulnerability from github – Published: 2022-05-24 17:49 – Updated: 2022-05-24 17:49
VLAI
Details

A remote XML external entity vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-25163"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-29T11:15:00Z",
    "severity": "HIGH"
  },
  "details": "A remote XML external entity vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability.",
  "id": "GHSA-v3px-6vf7-c58j",
  "modified": "2022-05-24T17:49:05Z",
  "published": "2022-05-24T17:49:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25163"
    },
    {
      "type": "WEB",
      "url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-010.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-V3XC-F323-99X9

Vulnerability from github – Published: 2022-05-17 02:28 – Updated: 2022-05-17 02:28
VLAI
Details

IBM Security Guardium 10.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. IBM X-Force ID: 124634.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-1254"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-07-05T18:29:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Security Guardium 10.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume memory resources. IBM X-Force ID: 124634.",
  "id": "GHSA-v3xc-f323-99x9",
  "modified": "2022-05-17T02:28:13Z",
  "published": "2022-05-17T02:28:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1254"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/124634"
    },
    {
      "type": "WEB",
      "url": "http://www.ibm.com/support/docview.wss?uid=swg22004463"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/99366"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.