Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1691 vulnerabilities reference this CWE, most recent first.

GHSA-X7QF-QH3R-MX22

Vulnerability from github – Published: 2022-05-14 03:46 – Updated: 2024-01-30 22:36
VLAI
Summary
XXE vulnerability in Jenkins DRY Plugin
Details

Jenkins DRY Plugin 2.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.49"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jvnet.hudson.plugins:dry"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.50"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-1000010"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-30T22:36:41Z",
    "nvd_published_at": "2018-01-23T14:29:00Z",
    "severity": "HIGH"
  },
  "details": "Jenkins DRY Plugin 2.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.",
  "id": "GHSA-x7qf-qh3r-mx22",
  "modified": "2024-01-30T22:36:41Z",
  "published": "2022-05-14T03:46:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000010"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2018-01-22"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XXE vulnerability in Jenkins DRY Plugin"
}

GHSA-X7XF-253V-X3W8

Vulnerability from github – Published: 2022-05-13 01:09 – Updated: 2023-12-21 22:58
VLAI
Summary
Improper Restriction of XML External Entity Reference in Apache CXF JAX-RS
Details

The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.11"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.cxf:cxf-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.1.8"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.cxf:cxf-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1.0"
            },
            {
              "fixed": "3.1.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2016-8739"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-06T19:47:38Z",
    "nvd_published_at": "2017-08-10T18:29:00Z",
    "severity": "HIGH"
  },
  "details": "The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk.",
  "id": "GHSA-x7xf-253v-x3w8",
  "modified": "2023-12-21T22:58:21Z",
  "published": "2022-05-13T01:09:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-8739"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/cxf/commit/8e4970d9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/cxf/commit/9deb2d17"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:0868"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/cxf"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "http://cxf.apache.org/security-advisories.data/CVE-2016-8739.txt.asc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Restriction of XML External Entity Reference in Apache CXF JAX-RS"
}

GHSA-X832-FPVJ-R5PH

Vulnerability from github – Published: 2025-11-28 06:32 – Updated: 2025-12-01 20:46
VLAI
Summary
Mustangproject allows exfiltrating files via XXE attacks
Details

Mustang before 2.16.3 allows exfiltrating files via XXE attacks.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.mustangproject:library"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.16.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.mustangproject:validator"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.16.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-66372"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-01T20:46:20Z",
    "nvd_published_at": "2025-11-28T04:16:01Z",
    "severity": "LOW"
  },
  "details": "Mustang before 2.16.3 allows exfiltrating files via XXE attacks.",
  "id": "GHSA-x832-fpvj-r5ph",
  "modified": "2025-12-01T20:46:20Z",
  "published": "2025-11-28T06:32:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66372"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ZUGFeRD/mustangproject/issues/685"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ZUGFeRD/mustangproject/pull/725"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ZUGFeRD/mustangproject/commit/6461dad8d3d7876547155dacbd28b458f1eb2e0b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ZUGFeRD/mustangproject"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ZUGFeRD/mustangproject/releases/tag/core-2.16.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Mustangproject allows exfiltrating files via XXE attacks"
}

GHSA-X879-CX33-WC6W

Vulnerability from github – Published: 2022-05-13 01:33 – Updated: 2022-05-13 01:33
VLAI
Details

An XXE vulnerability exists in CASE Suite Versions 3.10 and prior when processing parameter entities, which may allow remote file disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-17912"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-11-02T14:29:00Z",
    "severity": "HIGH"
  },
  "details": "An XXE vulnerability exists in CASE Suite Versions 3.10 and prior when processing parameter entities, which may allow remote file disclosure.",
  "id": "GHSA-x879-cx33-wc6w",
  "modified": "2022-05-13T01:33:46Z",
  "published": "2022-05-13T01:33:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17912"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-305-04"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/105804"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X996-H3MP-C4P4

Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-05-13 01:36
VLAI
Details

It was found that the JAXP implementation used in JBoss EAP 7.0 for XSLT processing is vulnerable to code injection. An attacker could use this flaw to cause remote code execution if they are able to provide XSLT content for parsing. Doing a transform in JAXP requires the use of a 'javax.xml.transform.TransformerFactory'. If the FEATURE_SECURE_PROCESSING feature is set to 'true', it mitigates this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-7465"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611",
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-06-27T16:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "It was found that the JAXP implementation used in JBoss EAP 7.0 for XSLT processing is vulnerable to code injection. An attacker could use this flaw to cause remote code execution if they are able to provide XSLT content for parsing. Doing a transform in JAXP requires the use of a \u0027javax.xml.transform.TransformerFactory\u0027. If the FEATURE_SECURE_PROCESSING feature is set to \u0027true\u0027, it mitigates this vulnerability.",
  "id": "GHSA-x996-h3mp-c4p4",
  "modified": "2022-05-13T01:36:21Z",
  "published": "2022-05-13T01:36:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7465"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7465"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/97605"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X99J-H38H-9FRX

Vulnerability from github – Published: 2022-05-13 01:17 – Updated: 2022-05-13 01:17
VLAI
Details

A vulnerability in the web-based user interface of the Cisco Secure Access Control Server prior to 5.8 patch 9 could allow an unauthenticated, remote attacker to gain read access to certain information in the affected system. The vulnerability is due to improper handling of XML External Entities (XXEs) when parsing an XML file. An attacker could exploit this vulnerability by convincing the administrator of an affected system to import a crafted XML file. Cisco Bug IDs: CSCve70595.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-0207"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-03-08T07:29:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the web-based user interface of the Cisco Secure Access Control Server prior to 5.8 patch 9 could allow an unauthenticated, remote attacker to gain read access to certain information in the affected system. The vulnerability is due to improper handling of XML External Entities (XXEs) when parsing an XML file. An attacker could exploit this vulnerability by convincing the administrator of an affected system to import a crafted XML file. Cisco Bug IDs: CSCve70595.",
  "id": "GHSA-x99j-h38h-9frx",
  "modified": "2022-05-13T01:17:29Z",
  "published": "2022-05-13T01:17:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0207"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180307-acs"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/103343"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1040470"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X9V6-5M2F-Q2HR

Vulnerability from github – Published: 2022-05-24 17:46 – Updated: 2022-05-24 17:46
VLAI
Details

The Proofpoint Insider Threat Management Server (formerly ObserveIT Server) is vulnerable to XML external entity (XXE) injection in the Web Console. The vulnerability requires admin user privileges and knowledge of the XML file's encryption key to successfully exploit. All versions before 7.11 are affected.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-22158"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-06T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "The Proofpoint Insider Threat Management Server (formerly ObserveIT Server) is vulnerable to XML external entity (XXE) injection in the Web Console. The vulnerability requires admin user privileges and knowledge of the XML file\u0027s encryption key to successfully exploit. All versions before 7.11 are affected.",
  "id": "GHSA-x9v6-5m2f-q2hr",
  "modified": "2022-05-24T17:46:36Z",
  "published": "2022-05-24T17:46:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22158"
    },
    {
      "type": "WEB",
      "url": "https://www.proofpoint.com/us/security/security-advisories/pfpt-sa-2021-0003"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-XC2C-W3G3-GC65

Vulnerability from github – Published: 2022-05-14 03:49 – Updated: 2022-05-14 03:49
VLAI
Details

Commsy version 9.0.0 is vulnerable to XXE attacks in the configuration import functionality resulting in denial of service and possibly remote execution of code.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-1000496"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-01-03T14:29:00Z",
    "severity": "HIGH"
  },
  "details": "Commsy version 9.0.0 is vulnerable to XXE attacks in the configuration import functionality resulting in denial of service and possibly remote execution of code.",
  "id": "GHSA-xc2c-w3g3-gc65",
  "modified": "2022-05-14T03:49:57Z",
  "published": "2022-05-14T03:49:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000496"
    },
    {
      "type": "WEB",
      "url": "https://github.com/commsy/commsy/issues/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XC72-7FJV-V78H

Vulnerability from github – Published: 2022-05-14 01:15 – Updated: 2022-05-14 01:15
VLAI
Details

Mitigates a XML External Entity Parsing issue in ArcSight Logger versions prior to 6.7.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-3481"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-03-25T17:29:00Z",
    "severity": "HIGH"
  },
  "details": "Mitigates a XML External Entity Parsing issue in ArcSight Logger versions prior to 6.7.",
  "id": "GHSA-xc72-7fjv-v78h",
  "modified": "2022-05-14T01:15:49Z",
  "published": "2022-05-14T01:15:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3481"
    },
    {
      "type": "WEB",
      "url": "https://softwaresupport.softwaregrp.com/doc/KM03355866"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XF3G-MQGG-66G3

Vulnerability from github – Published: 2022-05-14 01:30 – Updated: 2022-05-14 01:30
VLAI
Details

An XXE vulnerability within WireMock before 2.16.0 allows a remote unauthenticated attacker to access local files and internal resources and potentially cause a Denial of Service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-9116"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-03-29T07:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "An XXE vulnerability within WireMock before 2.16.0 allows a remote unauthenticated attacker to access local files and internal resources and potentially cause a Denial of Service.",
  "id": "GHSA-xf3g-mqgg-66g3",
  "modified": "2022-05-14T01:30:32Z",
  "published": "2022-05-14T01:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-9116"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/forum/#!topic/wiremock-user/PQ1UQzKZVl0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.