CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1691 vulnerabilities reference this CWE, most recent first.
CVE-2024-56322 (GCVE-0-2024-56322)
Vulnerability from cvelistv5 – Published: 2025-01-03 15:49 – Updated: 2025-01-03 17:10- CWE-611 - Improper Restriction of XML External Entity Reference
| URL | Tags |
|---|---|
| https://github.com/gocd/gocd/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/gocd/gocd/commit/410331a97eb29… | x_refsource_MISC |
| https://github.com/gocd/gocd/releases/tag/24.5.0 | x_refsource_MISC |
| https://www.gocd.org/releases/#24-5-0 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-56322",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-03T17:09:40.613611Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-03T17:10:02.906Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gocd",
"vendor": "gocd",
"versions": [
{
"status": "affected",
"version": "\u003e= 16.7.0, \u003c 24.5.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GoCD is a continuous deliver server. GoCD versions 16.7.0 through 24.4.0 (inclusive) can allow GoCD admins to abuse a hidden/unused configuration repository (pipelines as code) feature to allow XML External Entity (XXE) injection on the GoCD Server which will be executed when GoCD periodically scans configuration repositories for pipeline updates, or is triggered by an administrator or config repo admin. In practice the impact of this vulnerability is limited, in most cases without combining with another vulnerability, as only GoCD (super) admins have the ability to abuse this vulnerability. Typically a malicious GoCD admin can cause much larger damage than that they can do with XXE injection. The issue is fixed in GoCD 24.5.0. As a workaround, prevent external access from the GoCD server to arbitrary locations using some kind of environment egress control."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611: Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-03T15:49:48.294Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gocd/gocd/security/advisories/GHSA-8xwx-hf68-8xq7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-8xwx-hf68-8xq7"
},
{
"name": "https://github.com/gocd/gocd/commit/410331a97eb2935e04c1372f50658e05c533f733",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/commit/410331a97eb2935e04c1372f50658e05c533f733"
},
{
"name": "https://github.com/gocd/gocd/releases/tag/24.5.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/releases/tag/24.5.0"
},
{
"name": "https://www.gocd.org/releases/#24-5-0",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gocd.org/releases/#24-5-0"
}
],
"source": {
"advisory": "GHSA-8xwx-hf68-8xq7",
"discovery": "UNKNOWN"
},
"title": "GoCD vulnerable to XXE injection via abuse of unused XML configuration repository functionality"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-56322",
"datePublished": "2025-01-03T15:49:48.294Z",
"dateReserved": "2024-12-18T23:44:51.604Z",
"dateUpdated": "2025-01-03T17:10:02.906Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-55887 (GCVE-0-2024-55887)
Vulnerability from cvelistv5 – Published: 2024-12-13 16:08 – Updated: 2024-12-13 17:06- CWE-611 - Improper Restriction of XML External Entity Reference
| URL | Tags |
|---|---|
| https://github.com/FHIR/Ucum-java/security/adviso… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-55887",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-13T17:06:02.821909Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-13T17:06:54.775Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Ucum-java",
"vendor": "FHIR",
"versions": [
{
"status": "affected",
"version": "\u003c 1.0.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Ucum-java is a FHIR Java library providing UCUM Services. In versions prior to 1.0.9, XML parsing performed by the UcumEssenceService is vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag could produce XML containing data from the host system. This impacts use cases where ucum is being used to within a host where external clients can submit XML. Release 1.0.9 of Ucum-java fixes this vulnerability. As a workaround, ensure that the source xml for instantiating UcumEssenceService is trusted."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611: Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-13T16:08:55.658Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/FHIR/Ucum-java/security/advisories/GHSA-w9j7-phm3-f97j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/FHIR/Ucum-java/security/advisories/GHSA-w9j7-phm3-f97j"
}
],
"source": {
"advisory": "GHSA-w9j7-phm3-f97j",
"discovery": "UNKNOWN"
},
"title": "Ucum-java has an XXE vulnerability in XML parsing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-55887",
"datePublished": "2024-12-13T16:08:55.658Z",
"dateReserved": "2024-12-12T15:00:38.902Z",
"dateUpdated": "2024-12-13T17:06:54.775Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-55875 (GCVE-0-2024-55875)
Vulnerability from cvelistv5 – Published: 2024-12-12 18:56 – Updated: 2026-06-09 10:42| URL | Tags |
|---|---|
| https://github.com/http4k/http4k/security/advisor… | x_refsource_CONFIRM |
| https://github.com/http4k/http4k/commit/35297adc6… | x_refsource_MISC |
| https://github.com/http4k/http4k/blob/25696dff2d9… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-55875",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-13T14:52:57.520637Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-13T14:55:49.763Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/http4k/http4k/security/advisories/GHSA-7mj5-hjjj-8rgw"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "http4k",
"vendor": "http4k",
"versions": [
{
"status": "affected",
"version": "\u003c 6.50.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "http4k is a functional toolkit for Kotlin HTTP applications. Prior to version 6.50.0.0, there is a potential XXE (XML External Entity Injection) vulnerability when http4k handling malicious XML contents within requests, which might allow attackers to read local sensitive information on server, trigger Server-side Request Forgery and even execute code under some circumstances. The original fix shipped in v5.41.0.0 / v4.50.0.0 closed the documented external-entity attack class (SSRF, local-file disclosure, code execution) by setting `ACCESS_EXTERNAL_DTD=\"\"`, `ACCESS_EXTERNAL_SCHEMA=\"\"`, and `isExpandEntityReferences=false` on the default `DocumentBuilderFactory`. A residual gap remained: the parser still accepted documents containing `\u003c!DOCTYPE\u003e` declarations even though external entity resolution was blocked. This left open billion-laughs-style internal entity expansion DoS attacks against any application using `Body.xml()` or `Document.asXmlDocument()` on untrusted XML. v6.50.0.0 closes this residual by adding `disallow-doctype-decl=true` and `FEATURE_SECURE_PROCESSING=true` to `defaultXmlParsingConfig`. Any document containing a `\u003c!DOCTYPE\u003e` is now rejected at parse time."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611: Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T10:42:10.658Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/http4k/http4k/security/advisories/GHSA-7mj5-hjjj-8rgw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/http4k/http4k/security/advisories/GHSA-7mj5-hjjj-8rgw"
},
{
"name": "https://github.com/http4k/http4k/commit/35297adc6d6aca4951d50d8cdf17ff87a8b19fbc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/http4k/http4k/commit/35297adc6d6aca4951d50d8cdf17ff87a8b19fbc"
},
{
"name": "https://github.com/http4k/http4k/blob/25696dff2d90206cc1da42f42a1a8dbcdbcdf18c/core/format/xml/src/main/kotlin/org/http4k/format/Xml.kt#L42-L46",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/http4k/http4k/blob/25696dff2d90206cc1da42f42a1a8dbcdbcdf18c/core/format/xml/src/main/kotlin/org/http4k/format/Xml.kt#L42-L46"
}
],
"source": {
"advisory": "GHSA-7mj5-hjjj-8rgw",
"discovery": "UNKNOWN"
},
"title": "http4k has a potential XXE (XML External Entity Injection) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-55875",
"datePublished": "2024-12-12T18:56:59.499Z",
"dateReserved": "2024-12-11T15:46:36.420Z",
"dateUpdated": "2026-06-09T10:42:10.658Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-54171 (GCVE-0-2024-54171)
Vulnerability from cvelistv5 – Published: 2025-02-06 20:29 – Updated: 2025-02-22 22:11- CWE-611 - Improper Restriction of XML External Entity Reference
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7182693 | vendor-advisory |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-54171",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-06T20:45:41.722929Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T19:41:08.873Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EntireX",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.1",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIBM EntireX 11.1 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. An authenticated attacker could exploit this vulnerability to expose sensitive information or consume memory resources.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "IBM EntireX 11.1 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. An authenticated attacker could exploit this vulnerability to expose sensitive information or consume memory resources."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-22T22:11:33.331Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.ibm.com/support/pages/node/7182693"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM EntireX XML external entity injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2024-54171",
"datePublished": "2025-02-06T20:29:04.129Z",
"dateReserved": "2024-11-30T14:47:41.352Z",
"dateUpdated": "2025-02-22T22:11:33.331Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-54005 (GCVE-0-2024-54005)
Vulnerability from cvelistv5 – Published: 2024-12-10 13:54 – Updated: 2024-12-10 17:17- CWE-611 - Improper Restriction of XML External Entity Reference
| Vendor | Product | Version | |
|---|---|---|---|
| Siemens | COMOS V10.3 |
Affected:
0 , < V10.3.3.5.8
(custom)
|
|
| Siemens | COMOS V10.4.0 |
Affected:
0 , < *
(custom)
|
|
| Siemens | COMOS V10.4.1 |
Affected:
0 , < *
(custom)
|
|
| Siemens | COMOS V10.4.2 |
Affected:
0 , < *
(custom)
|
|
| Siemens | COMOS V10.4.3 |
Affected:
0 , < V10.4.3.0.47
(custom)
|
|
| Siemens | COMOS V10.4.4 |
Affected:
0 , < V10.4.4.2
(custom)
|
|
| Siemens | COMOS V10.4.4.1 |
Affected:
0 , < V10.4.4.1.21
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-54005",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-10T15:16:40.996944Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-10T17:17:46.788Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "COMOS V10.3",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V10.3.3.5.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "COMOS V10.4.0",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "COMOS V10.4.1",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "COMOS V10.4.2",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "COMOS V10.4.3",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V10.4.3.0.47",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "COMOS V10.4.4",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V10.4.4.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "COMOS V10.4.4.1",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V10.4.4.1.21",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in COMOS V10.3 (All versions \u003c V10.3.3.5.8), COMOS V10.4.0 (All versions), COMOS V10.4.1 (All versions), COMOS V10.4.2 (All versions), COMOS V10.4.3 (All versions \u003c V10.4.3.0.47), COMOS V10.4.4 (All versions \u003c V10.4.4.2), COMOS V10.4.4.1 (All versions \u003c V10.4.4.1.21). The PDMS/E3D Engineering Interface improperly handles XML External Entity (XXE) entries when communicating with an external application. This could allow an attacker to extract any file with a known location on the user\u0027s system or accessible network folders by injecting malicious data into the communication channel between the two systems."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"cvssV4_0": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611: Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-10T13:54:15.994Z",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-701627.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2024-54005",
"datePublished": "2024-12-10T13:54:15.994Z",
"dateReserved": "2024-11-26T16:33:29.218Z",
"dateUpdated": "2024-12-10T17:17:46.788Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52807 (GCVE-0-2024-52807)
Vulnerability from cvelistv5 – Published: 2025-01-24 18:34 – Updated: 2026-01-28 23:21- CWE-611 - Improper Restriction of XML External Entity Reference
| URL | Tags |
|---|---|
| https://github.com/HL7/fhir-ig-publisher/security… | x_refsource_CONFIRM |
| https://github.com/HL7/fhir-ig-publisher/commit/3… | x_refsource_MISC |
| https://github.com/HL7/fhir-ig-publisher/compare/… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| HL7 | fhir-ig-publisher |
Affected:
< 1.7.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52807",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-24T19:33:43.454536Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-24T19:42:52.498Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fhir-ig-publisher",
"vendor": "HL7",
"versions": [
{
"status": "affected",
"version": "\u003c 1.7.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The HL7 FHIR IG publisher is a tool to take a set of inputs and create a standard FHIR IG. Prior to version 1.7.4, XSLT transforms performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag `( ]\u003e` could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.publisher is being used to within a host where external clients can submit XML. A previous release provided an incomplete solution revealed by new testing. This issue has been patched as of version 1.7.4. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611: Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T23:21:13.318Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/HL7/fhir-ig-publisher/security/advisories/GHSA-8c3x-hq82-gjcm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/HL7/fhir-ig-publisher/security/advisories/GHSA-8c3x-hq82-gjcm"
},
{
"name": "https://github.com/HL7/fhir-ig-publisher/commit/3560de2f486d688a3ddcf4aa54d8bdacea380c3d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/HL7/fhir-ig-publisher/commit/3560de2f486d688a3ddcf4aa54d8bdacea380c3d"
},
{
"name": "https://github.com/HL7/fhir-ig-publisher/compare/1.7.3...1.7.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/HL7/fhir-ig-publisher/compare/1.7.3...1.7.4"
}
],
"source": {
"advisory": "GHSA-8c3x-hq82-gjcm",
"discovery": "UNKNOWN"
},
"title": "XXE vulnerability in XSLT parsing in `org.hl7.fhir.publisher`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52807",
"datePublished": "2025-01-24T18:34:23.255Z",
"dateReserved": "2024-11-15T17:11:13.442Z",
"dateUpdated": "2026-01-28T23:21:13.318Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-52806 (GCVE-0-2024-52806)
Vulnerability from cvelistv5 – Published: 2024-12-02 16:18 – Updated: 2024-12-02 19:12- CWE-611 - Improper Restriction of XML External Entity Reference
| URL | Tags |
|---|---|
| https://github.com/simplesamlphp/saml2/security/a… | x_refsource_CONFIRM |
| https://github.com/simplesamlphp/saml2/commit/5fd… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| simplesamlphp | saml2 |
Affected:
< 4.6.14
Affected: >= 5.0.0-alpha.1, < 5.0.0-alpha.18 |
|
| simplesamlphp | saml2 |
Affected:
0 , < 4.6.14
(custom)
Affected: 0 , ≤ 5.0.0-alpha.1 (custom) Affected: 0 , < 5.0.0-alpha.18 (custom) cpe:2.3:a:simplesamlphp:saml2:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:simplesamlphp:saml2:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "saml2",
"vendor": "simplesamlphp",
"versions": [
{
"lessThan": "4.6.14",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThanOrEqual": "5.0.0-alpha.1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.0.0-alpha.18",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52806",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-02T19:10:45.941998Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-02T19:12:33.197Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "saml2",
"vendor": "simplesamlphp",
"versions": [
{
"status": "affected",
"version": "\u003c 4.6.14"
},
{
"status": "affected",
"version": "\u003e= 5.0.0-alpha.1, \u003c 5.0.0-alpha.18"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SimpleSAMLphp SAML2 library is a PHP library for SAML2 related functionality. When loading an (untrusted) XML document, for example the SAMLResponse, it\u0027s possible to induce an XXE. This vulnerability is fixed in 4.6.14 and 5.0.0-alpha.18."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611: Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-02T16:18:43.485Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/simplesamlphp/saml2/security/advisories/GHSA-pxm4-r5ph-q2m2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/simplesamlphp/saml2/security/advisories/GHSA-pxm4-r5ph-q2m2"
},
{
"name": "https://github.com/simplesamlphp/saml2/commit/5fd4ce4596656fb0c1278f15b8305825412e89f7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/simplesamlphp/saml2/commit/5fd4ce4596656fb0c1278f15b8305825412e89f7"
}
],
"source": {
"advisory": "GHSA-pxm4-r5ph-q2m2",
"discovery": "UNKNOWN"
},
"title": "SimpleSAMLphp SAML2 has an XXE in parsing SAML messages"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52806",
"datePublished": "2024-12-02T16:18:43.485Z",
"dateReserved": "2024-11-15T17:11:13.442Z",
"dateUpdated": "2024-12-02T19:12:33.197Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52800 (GCVE-0-2024-52800)
Vulnerability from cvelistv5 – Published: 2024-11-29 18:20 – Updated: 2024-12-02 11:19- CWE-611 - Improper Restriction of XML External Entity Reference
| URL | Tags |
|---|---|
| https://github.com/veraPDF/veraPDF-library/securi… | x_refsource_CONFIRM |
| https://github.com/veraPDF/veraPDF-library/issues/1488 | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| veraPDF | veraPDF-library |
Affected:
<= 1.26.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52800",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-02T11:17:25.404338Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-02T11:19:36.866Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "veraPDF-library",
"vendor": "veraPDF",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.26.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "veraPDF is an open source PDF/A validation library. Executing policy checks using custom schematron files via the CLI invokes an XSL transformation that may theoretically lead to a remote code execution (RCE) vulnerability. This doesn\u0027t affect the standard validation and policy checks functionality, veraPDF\u0027s common use cases. Most veraPDF users don\u0027t insert any custom XSLT code into policy profiles, which are based on Schematron syntax rather than direct XSL transforms. For users who do, only load custom policy files from sources you trust. This issue has not yet been patched. Users are advised to be cautious of XSLT code until a patch is available."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611: Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-29T18:20:27.825Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/veraPDF/veraPDF-library/security/advisories/GHSA-4cx5-89vm-833x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/veraPDF/veraPDF-library/security/advisories/GHSA-4cx5-89vm-833x"
},
{
"name": "https://github.com/veraPDF/veraPDF-library/issues/1488",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/veraPDF/veraPDF-library/issues/1488"
}
],
"source": {
"advisory": "GHSA-4cx5-89vm-833x",
"discovery": "UNKNOWN"
},
"title": "Potential XXE (XML External Entity Injection) vulnerability in veraPDF CLI"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52800",
"datePublished": "2024-11-29T18:20:27.825Z",
"dateReserved": "2024-11-15T17:11:13.440Z",
"dateUpdated": "2024-12-02T11:19:36.866Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52596 (GCVE-0-2024-52596)
Vulnerability from cvelistv5 – Published: 2024-12-02 16:24 – Updated: 2024-12-02 18:36- CWE-611 - Improper Restriction of XML External Entity Reference
| URL | Tags |
|---|---|
| https://github.com/simplesamlphp/xml-common/secur… | x_refsource_CONFIRM |
| https://github.com/simplesamlphp/xml-common/commi… | x_refsource_MISC |
| https://lists.debian.org/debian-lts-announce/2024… |
| Vendor | Product | Version | |
|---|---|---|---|
| simplesamlphp | xml-common |
Affected:
< 1.20.0
|
|
| simplesamlphp | xml-common |
Affected:
0 , < 1.20.0
(custom)
cpe:2.3:a:simplesamlphp:xml-common:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-12-02T17:02:40.705Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00001.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:simplesamlphp:xml-common:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "xml-common",
"vendor": "simplesamlphp",
"versions": [
{
"lessThan": "1.20.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52596",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-02T18:32:34.951320Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-02T18:36:23.399Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xml-common",
"vendor": "simplesamlphp",
"versions": [
{
"status": "affected",
"version": "\u003c 1.20.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SimpleSAMLphp xml-common is a common classes for handling XML-structures. When loading an (untrusted) XML document, for example the SAMLResponse, it\u0027s possible to induce an XXE. This vulnerability is fixed in 1.19.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611: Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-02T16:24:49.591Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/simplesamlphp/xml-common/security/advisories/GHSA-2x65-fpch-2fcm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/simplesamlphp/xml-common/security/advisories/GHSA-2x65-fpch-2fcm"
},
{
"name": "https://github.com/simplesamlphp/xml-common/commit/fa4ade391c3194466acf5fbfd5d2ecdbf5e831f5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/simplesamlphp/xml-common/commit/fa4ade391c3194466acf5fbfd5d2ecdbf5e831f5"
}
],
"source": {
"advisory": "GHSA-2x65-fpch-2fcm",
"discovery": "UNKNOWN"
},
"title": "SimpleSAMLphp xml-common XXE vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52596",
"datePublished": "2024-12-02T16:24:49.591Z",
"dateReserved": "2024-11-14T15:05:46.769Z",
"dateUpdated": "2024-12-02T18:36:23.399Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52007 (GCVE-0-2024-52007)
Vulnerability from cvelistv5 – Published: 2024-11-08 22:28 – Updated: 2024-11-12 18:47- CWE-611 - Improper Restriction of XML External Entity Reference
| URL | Tags |
|---|---|
| https://github.com/hapifhir/org.hl7.fhir.core/sec… | x_refsource_CONFIRM |
| https://github.com/hapifhir/org.hl7.fhir.core/sec… | x_refsource_MISC |
| https://github.com/hapifhir/org.hl7.fhir.core/iss… | x_refsource_MISC |
| https://github.com/hapifhir/org.hl7.fhir.core/pull/1717 | x_refsource_MISC |
| https://cheatsheetseries.owasp.org/cheatsheets/XM… | x_refsource_MISC |
| https://cwe.mitre.org/data/definitions/611.html | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| hapifhir | org.hl7.fhir.core |
Affected:
< 6.4.0
|
|
| hapifhir | hl7_fhir_core |
Affected:
0 , < 6.4.0
(custom)
cpe:2.3:a:hapifhir:hl7_fhir_core:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:hapifhir:hl7_fhir_core:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "hl7_fhir_core",
"vendor": "hapifhir",
"versions": [
{
"lessThan": "6.4.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52007",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T16:07:55.968328Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T18:47:14.559Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "org.hl7.fhir.core",
"vendor": "hapifhir",
"versions": [
{
"status": "affected",
"version": "\u003c 6.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. XSLT parsing performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( \u003c!DOCTYPE foo [\u003c!ENTITY example SYSTEM \"/etc/passwd\"\u003e ]\u003e could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML. This is related to GHSA-6cr6-ph3p-f5rf, in which its fix (#1571 \u0026 #1717) was incomplete. This issue has been addressed in release version 6.4.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611: Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-08T22:28:20.169Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-gr3c-q7xf-47vh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-gr3c-q7xf-47vh"
},
{
"name": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-6cr6-ph3p-f5rf",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-6cr6-ph3p-f5rf"
},
{
"name": "https://github.com/hapifhir/org.hl7.fhir.core/issues/1571",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hapifhir/org.hl7.fhir.core/issues/1571"
},
{
"name": "https://github.com/hapifhir/org.hl7.fhir.core/pull/1717",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hapifhir/org.hl7.fhir.core/pull/1717"
},
{
"name": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#jaxp-documentbuilderfactory-saxparserfactory-and-dom4j",
"tags": [
"x_refsource_MISC"
],
"url": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#jaxp-documentbuilderfactory-saxparserfactory-and-dom4j"
},
{
"name": "https://cwe.mitre.org/data/definitions/611.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://cwe.mitre.org/data/definitions/611.html"
}
],
"source": {
"advisory": "GHSA-gr3c-q7xf-47vh",
"discovery": "UNKNOWN"
},
"title": "XXE vulnerability in XSLT parsing in `org.hl7.fhir.core`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52007",
"datePublished": "2024-11-08T22:28:20.169Z",
"dateReserved": "2024-11-04T17:46:16.779Z",
"dateUpdated": "2024-11-12T18:47:14.559Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.