CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1691 vulnerabilities reference this CWE, most recent first.
GHSA-X7QF-QH3R-MX22
Vulnerability from github – Published: 2022-05-14 03:46 – Updated: 2024-01-30 22:36Jenkins DRY Plugin 2.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.49"
},
"package": {
"ecosystem": "Maven",
"name": "org.jvnet.hudson.plugins:dry"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.50"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-1000010"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-30T22:36:41Z",
"nvd_published_at": "2018-01-23T14:29:00Z",
"severity": "HIGH"
},
"details": "Jenkins DRY Plugin 2.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.",
"id": "GHSA-x7qf-qh3r-mx22",
"modified": "2024-01-30T22:36:41Z",
"published": "2022-05-14T03:46:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000010"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2018-01-22"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "XXE vulnerability in Jenkins DRY Plugin"
}
GHSA-X7XF-253V-X3W8
Vulnerability from github – Published: 2022-05-13 01:09 – Updated: 2023-12-21 22:58The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.0.11"
},
"package": {
"ecosystem": "Maven",
"name": "org.apache.cxf:cxf-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.1.8"
},
"package": {
"ecosystem": "Maven",
"name": "org.apache.cxf:cxf-core"
},
"ranges": [
{
"events": [
{
"introduced": "3.1.0"
},
{
"fixed": "3.1.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2016-8739"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-06T19:47:38Z",
"nvd_published_at": "2017-08-10T18:29:00Z",
"severity": "HIGH"
},
"details": "The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk.",
"id": "GHSA-x7xf-253v-x3w8",
"modified": "2023-12-21T22:58:21Z",
"published": "2022-05-13T01:09:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-8739"
},
{
"type": "WEB",
"url": "https://github.com/apache/cxf/commit/8e4970d9"
},
{
"type": "WEB",
"url": "https://github.com/apache/cxf/commit/9deb2d17"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:0868"
},
{
"type": "WEB",
"url": "https://github.com/apache/cxf"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E"
},
{
"type": "WEB",
"url": "http://cxf.apache.org/security-advisories.data/CVE-2016-8739.txt.asc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Improper Restriction of XML External Entity Reference in Apache CXF JAX-RS"
}
GHSA-X832-FPVJ-R5PH
Vulnerability from github – Published: 2025-11-28 06:32 – Updated: 2025-12-01 20:46Mustang before 2.16.3 allows exfiltrating files via XXE attacks.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.mustangproject:library"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.16.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.mustangproject:validator"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.16.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-66372"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-01T20:46:20Z",
"nvd_published_at": "2025-11-28T04:16:01Z",
"severity": "LOW"
},
"details": "Mustang before 2.16.3 allows exfiltrating files via XXE attacks.",
"id": "GHSA-x832-fpvj-r5ph",
"modified": "2025-12-01T20:46:20Z",
"published": "2025-11-28T06:32:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66372"
},
{
"type": "WEB",
"url": "https://github.com/ZUGFeRD/mustangproject/issues/685"
},
{
"type": "WEB",
"url": "https://github.com/ZUGFeRD/mustangproject/pull/725"
},
{
"type": "WEB",
"url": "https://github.com/ZUGFeRD/mustangproject/commit/6461dad8d3d7876547155dacbd28b458f1eb2e0b"
},
{
"type": "PACKAGE",
"url": "https://github.com/ZUGFeRD/mustangproject"
},
{
"type": "WEB",
"url": "https://github.com/ZUGFeRD/mustangproject/releases/tag/core-2.16.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Mustangproject allows exfiltrating files via XXE attacks"
}
GHSA-X879-CX33-WC6W
Vulnerability from github – Published: 2022-05-13 01:33 – Updated: 2022-05-13 01:33An XXE vulnerability exists in CASE Suite Versions 3.10 and prior when processing parameter entities, which may allow remote file disclosure.
{
"affected": [],
"aliases": [
"CVE-2018-17912"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-11-02T14:29:00Z",
"severity": "HIGH"
},
"details": "An XXE vulnerability exists in CASE Suite Versions 3.10 and prior when processing parameter entities, which may allow remote file disclosure.",
"id": "GHSA-x879-cx33-wc6w",
"modified": "2022-05-13T01:33:46Z",
"published": "2022-05-13T01:33:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17912"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-305-04"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105804"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X996-H3MP-C4P4
Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-05-13 01:36It was found that the JAXP implementation used in JBoss EAP 7.0 for XSLT processing is vulnerable to code injection. An attacker could use this flaw to cause remote code execution if they are able to provide XSLT content for parsing. Doing a transform in JAXP requires the use of a 'javax.xml.transform.TransformerFactory'. If the FEATURE_SECURE_PROCESSING feature is set to 'true', it mitigates this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2017-7465"
],
"database_specific": {
"cwe_ids": [
"CWE-611",
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-06-27T16:29:00Z",
"severity": "CRITICAL"
},
"details": "It was found that the JAXP implementation used in JBoss EAP 7.0 for XSLT processing is vulnerable to code injection. An attacker could use this flaw to cause remote code execution if they are able to provide XSLT content for parsing. Doing a transform in JAXP requires the use of a \u0027javax.xml.transform.TransformerFactory\u0027. If the FEATURE_SECURE_PROCESSING feature is set to \u0027true\u0027, it mitigates this vulnerability.",
"id": "GHSA-x996-h3mp-c4p4",
"modified": "2022-05-13T01:36:21Z",
"published": "2022-05-13T01:36:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7465"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7465"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/97605"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X99J-H38H-9FRX
Vulnerability from github – Published: 2022-05-13 01:17 – Updated: 2022-05-13 01:17A vulnerability in the web-based user interface of the Cisco Secure Access Control Server prior to 5.8 patch 9 could allow an unauthenticated, remote attacker to gain read access to certain information in the affected system. The vulnerability is due to improper handling of XML External Entities (XXEs) when parsing an XML file. An attacker could exploit this vulnerability by convincing the administrator of an affected system to import a crafted XML file. Cisco Bug IDs: CSCve70595.
{
"affected": [],
"aliases": [
"CVE-2018-0207"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-03-08T07:29:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the web-based user interface of the Cisco Secure Access Control Server prior to 5.8 patch 9 could allow an unauthenticated, remote attacker to gain read access to certain information in the affected system. The vulnerability is due to improper handling of XML External Entities (XXEs) when parsing an XML file. An attacker could exploit this vulnerability by convincing the administrator of an affected system to import a crafted XML file. Cisco Bug IDs: CSCve70595.",
"id": "GHSA-x99j-h38h-9frx",
"modified": "2022-05-13T01:17:29Z",
"published": "2022-05-13T01:17:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0207"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180307-acs"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/103343"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1040470"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X9V6-5M2F-Q2HR
Vulnerability from github – Published: 2022-05-24 17:46 – Updated: 2022-05-24 17:46The Proofpoint Insider Threat Management Server (formerly ObserveIT Server) is vulnerable to XML external entity (XXE) injection in the Web Console. The vulnerability requires admin user privileges and knowledge of the XML file's encryption key to successfully exploit. All versions before 7.11 are affected.
{
"affected": [],
"aliases": [
"CVE-2021-22158"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-06T21:15:00Z",
"severity": "HIGH"
},
"details": "The Proofpoint Insider Threat Management Server (formerly ObserveIT Server) is vulnerable to XML external entity (XXE) injection in the Web Console. The vulnerability requires admin user privileges and knowledge of the XML file\u0027s encryption key to successfully exploit. All versions before 7.11 are affected.",
"id": "GHSA-x9v6-5m2f-q2hr",
"modified": "2022-05-24T17:46:36Z",
"published": "2022-05-24T17:46:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22158"
},
{
"type": "WEB",
"url": "https://www.proofpoint.com/us/security/security-advisories/pfpt-sa-2021-0003"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-XC2C-W3G3-GC65
Vulnerability from github – Published: 2022-05-14 03:49 – Updated: 2022-05-14 03:49Commsy version 9.0.0 is vulnerable to XXE attacks in the configuration import functionality resulting in denial of service and possibly remote execution of code.
{
"affected": [],
"aliases": [
"CVE-2017-1000496"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-01-03T14:29:00Z",
"severity": "HIGH"
},
"details": "Commsy version 9.0.0 is vulnerable to XXE attacks in the configuration import functionality resulting in denial of service and possibly remote execution of code.",
"id": "GHSA-xc2c-w3g3-gc65",
"modified": "2022-05-14T03:49:57Z",
"published": "2022-05-14T03:49:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000496"
},
{
"type": "WEB",
"url": "https://github.com/commsy/commsy/issues/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XC72-7FJV-V78H
Vulnerability from github – Published: 2022-05-14 01:15 – Updated: 2022-05-14 01:15Mitigates a XML External Entity Parsing issue in ArcSight Logger versions prior to 6.7.
{
"affected": [],
"aliases": [
"CVE-2019-3481"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-03-25T17:29:00Z",
"severity": "HIGH"
},
"details": "Mitigates a XML External Entity Parsing issue in ArcSight Logger versions prior to 6.7.",
"id": "GHSA-xc72-7fjv-v78h",
"modified": "2022-05-14T01:15:49Z",
"published": "2022-05-14T01:15:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3481"
},
{
"type": "WEB",
"url": "https://softwaresupport.softwaregrp.com/doc/KM03355866"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-XF3G-MQGG-66G3
Vulnerability from github – Published: 2022-05-14 01:30 – Updated: 2022-05-14 01:30An XXE vulnerability within WireMock before 2.16.0 allows a remote unauthenticated attacker to access local files and internal resources and potentially cause a Denial of Service.
{
"affected": [],
"aliases": [
"CVE-2018-9116"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-03-29T07:29:00Z",
"severity": "CRITICAL"
},
"details": "An XXE vulnerability within WireMock before 2.16.0 allows a remote unauthenticated attacker to access local files and internal resources and potentially cause a Denial of Service.",
"id": "GHSA-xf3g-mqgg-66g3",
"modified": "2022-05-14T01:30:32Z",
"published": "2022-05-14T01:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-9116"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/#!topic/wiremock-user/PQ1UQzKZVl0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.