CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1692 vulnerabilities reference this CWE, most recent first.
CVE-2022-1331 (GCVE-0-2022-1331)
Vulnerability from cvelistv5 – Published: 2022-05-03 18:44 – Updated: 2025-04-16 16:25- CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')
| URL | Tags |
|---|---|
| https://www.cisa.gov/uscert/ics/advisories/icsa-2… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| Delta Electronics | DMARS |
Affected:
All versions , < v2.1.10.24
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:03:05.993Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-104-01"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-1331",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-16T15:53:08.709136Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T16:25:48.513Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DMARS",
"vendor": "Delta Electronics",
"versions": [
{
"lessThan": "v2.1.10.24",
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-04-14T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In four instances DMARS (All versions prior to v2.1.10.24) does not properly restrict references of XML external entities while processing specific project files, which may allow unauthorized information disclosure."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 Improper Restriction of XML External Entity Reference (\u0027XXE\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-03T18:44:32.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-104-01"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Delta Electronics DMARS Improper Restriction of XML External Entity Reference",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2022-04-14T16:58:00.000Z",
"ID": "CVE-2022-1331",
"STATE": "PUBLIC",
"TITLE": "Delta Electronics DMARS Improper Restriction of XML External Entity Reference"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "DMARS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "All versions",
"version_value": "v2.1.10.24"
}
]
}
}
]
},
"vendor_name": "Delta Electronics"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In four instances DMARS (All versions prior to v2.1.10.24) does not properly restrict references of XML external entities while processing specific project files, which may allow unauthorized information disclosure."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-611 Improper Restriction of XML External Entity Reference (\u0027XXE\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-104-01",
"refsource": "MISC",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-104-01"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2022-1331",
"datePublished": "2022-05-03T18:44:32.887Z",
"dateReserved": "2022-04-12T00:00:00.000Z",
"dateUpdated": "2025-04-16T16:25:48.513Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1018 (GCVE-0-2022-1018)
Vulnerability from cvelistv5 – Published: 2022-04-01 22:17 – Updated: 2025-04-16 16:32- CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')
| URL | Tags |
|---|---|
| https://www.cisa.gov/uscert/ics/advisories/icsa-2… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| Rockwell Automation | Connected Component Workbench |
Affected:
All , < 12
(custom)
|
|
| Rockwell Automation | ISaGRAF |
Affected:
All , < 6.6.9
(custom)
|
|
| Rockwell Automation | Safety Instrumented Systems Workstation |
Affected:
All , < 1.1
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:47:42.899Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-088-01"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-1018",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-16T15:54:59.168246Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T16:32:28.157Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Connected Component Workbench",
"vendor": "Rockwell Automation",
"versions": [
{
"lessThan": "12",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"product": "ISaGRAF",
"vendor": "Rockwell Automation",
"versions": [
{
"lessThan": "6.6.9",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"product": "Safety Instrumented Systems Workstation",
"vendor": "Rockwell Automation",
"versions": [
{
"lessThan": "1.1",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "kimiya of Trend Micro\u2019s Zero Day Initiative reported this vulnerability to CISA."
}
],
"datePublic": "2022-03-29T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "When opening a malicious solution file provided by an attacker, the application suffers from an XML external entity vulnerability due to an unsafe call within a dynamic link library file. An attacker could exploit this to pass data from local files to a remote web server, leading to a loss of confidentiality."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 Improper Restriction of XML External Entity Reference (\u0027XXE\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-01T22:17:24.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-088-01"
}
],
"solutions": [
{
"lang": "en",
"value": "Rockwell Automation encourages users to update to the available software revisions below:\n\nConnected Component Workbench: Update to v13.00\nISaGRAF Workbench: For now, use mitigations listed until a patch is released. More mitigation actions are planned.\nSafety Instrumented Systems Workstation: Update to v1.2"
}
],
"source": {
"advisory": "ICSA-22-088-01",
"discovery": "EXTERNAL"
},
"title": "ICSA-22-088-01 Rockwell Automation ISaGRAF",
"workarounds": [
{
"lang": "en",
"value": "If an upgrade is not possible or available, users should apply the following mitigations:\n\nRun Connected Components Workbench as a User, not as an Administrator, to minimize the impact of malicious code on the infected system.\nDo not open untrusted files with Connected Component Workbench, ISaGRAF, SISW. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.\nUse Microsoft AppLocker or other similar allow list application to help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at KnowledgeBase Article QA17329\nEnsure the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2022-03-29T17:00:00.000Z",
"ID": "CVE-2022-1018",
"STATE": "PUBLIC",
"TITLE": "ICSA-22-088-01 Rockwell Automation ISaGRAF"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Connected Component Workbench",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "All",
"version_value": "12"
}
]
}
},
{
"product_name": "ISaGRAF",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "All",
"version_value": "6.6.9"
}
]
}
},
{
"product_name": "Safety Instrumented Systems Workstation",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "All",
"version_value": "1.1"
}
]
}
}
]
},
"vendor_name": "Rockwell Automation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "kimiya of Trend Micro\u2019s Zero Day Initiative reported this vulnerability to CISA."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When opening a malicious solution file provided by an attacker, the application suffers from an XML external entity vulnerability due to an unsafe call within a dynamic link library file. An attacker could exploit this to pass data from local files to a remote web server, leading to a loss of confidentiality."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-611 Improper Restriction of XML External Entity Reference (\u0027XXE\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-088-01",
"refsource": "MISC",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-088-01"
}
]
},
"solution": [
{
"lang": "en",
"value": "Rockwell Automation encourages users to update to the available software revisions below:\n\nConnected Component Workbench: Update to v13.00\nISaGRAF Workbench: For now, use mitigations listed until a patch is released. More mitigation actions are planned.\nSafety Instrumented Systems Workstation: Update to v1.2"
}
],
"source": {
"advisory": "ICSA-22-088-01",
"discovery": "EXTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "If an upgrade is not possible or available, users should apply the following mitigations:\n\nRun Connected Components Workbench as a User, not as an Administrator, to minimize the impact of malicious code on the infected system.\nDo not open untrusted files with Connected Component Workbench, ISaGRAF, SISW. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.\nUse Microsoft AppLocker or other similar allow list application to help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at KnowledgeBase Article QA17329\nEnsure the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2022-1018",
"datePublished": "2022-04-01T22:17:24.599Z",
"dateReserved": "2022-03-17T00:00:00.000Z",
"dateUpdated": "2025-04-16T16:32:28.157Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0861 (GCVE-0-2022-0861)
Vulnerability from cvelistv5 – Published: 2022-03-23 14:25 – Updated: 2024-08-02 23:40- CWE-611 - Improper Restriction of XML External Entity Reference
| URL | Tags |
|---|---|
| https://kc.mcafee.com/corporate/index?page=conten… | x_refsource_CONFIRM |
| Vendor | Product | Version | |
|---|---|---|---|
| McAfee,LLC | McAfee ePolicy Orchestrator (ePO) |
Affected:
unspecified , < 5.10 CU 13
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:40:04.557Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10379"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "McAfee ePolicy Orchestrator (ePO)",
"vendor": "McAfee,LLC",
"versions": [
{
"lessThan": "5.10 CU 13",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A XML Extended entity vulnerability in McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 allows a remote administrator attacker to upload a malicious XML file through the extension import functionality. The impact is limited to some access to confidential information and some ability to alter data."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611: Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-23T14:25:19.000Z",
"orgId": "01626437-bf8f-4d1c-912a-893b5eb04808",
"shortName": "trellix"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10379"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "ePO XML extended entity vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@mcafee.com",
"ID": "CVE-2022-0861",
"STATE": "PUBLIC",
"TITLE": "ePO XML extended entity vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "McAfee ePolicy Orchestrator (ePO)",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "5.10 CU 13"
}
]
}
}
]
},
"vendor_name": "McAfee,LLC"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A XML Extended entity vulnerability in McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 allows a remote administrator attacker to upload a malicious XML file through the extension import functionality. The impact is limited to some access to confidential information and some ability to alter data."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-611: Improper Restriction of XML External Entity Reference"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10379",
"refsource": "CONFIRM",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10379"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "01626437-bf8f-4d1c-912a-893b5eb04808",
"assignerShortName": "trellix",
"cveId": "CVE-2022-0861",
"datePublished": "2022-03-23T14:25:19.000Z",
"dateReserved": "2022-03-04T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:40:04.557Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0839 (GCVE-0-2022-0839)
Vulnerability from cvelistv5 – Published: 2022-03-04 14:25 – Updated: 2025-11-03 19:26- CWE-611 - Improper Restriction of XML External Entity Reference
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/f1ae5779-b406-4594-a8a… | x_refsource_CONFIRM |
| https://github.com/liquibase/liquibase/commit/33d… | x_refsource_MISC |
| https://www.oracle.com/security-alerts/cpujul2022.html | x_refsource_MISC |
| http://seclists.org/fulldisclosure/2025/Apr/14 |
| Vendor | Product | Version | |
|---|---|---|---|
| liquibase | liquibase/liquibase |
Affected:
unspecified , < 4.8.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:26:41.199Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/f1ae5779-b406-4594-a8a3-d089c68d6e70"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/liquibase/liquibase/commit/33d9d925082097fb1a3d2fc8e44423d964cd9381"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"url": "http://seclists.org/fulldisclosure/2025/Apr/14"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "liquibase/liquibase",
"vendor": "liquibase",
"versions": [
{
"lessThan": "4.8.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper Restriction of XML External Entity Reference in GitHub repository liquibase/liquibase prior to 4.8.0."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T16:44:56.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/f1ae5779-b406-4594-a8a3-d089c68d6e70"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/liquibase/liquibase/commit/33d9d925082097fb1a3d2fc8e44423d964cd9381"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"source": {
"advisory": "f1ae5779-b406-4594-a8a3-d089c68d6e70",
"discovery": "EXTERNAL"
},
"title": "Improper Restriction of XML External Entity Reference in liquibase/liquibase",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-0839",
"STATE": "PUBLIC",
"TITLE": "Improper Restriction of XML External Entity Reference in liquibase/liquibase"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "liquibase/liquibase",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.8.0"
}
]
}
}
]
},
"vendor_name": "liquibase"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper Restriction of XML External Entity Reference in GitHub repository liquibase/liquibase prior to 4.8.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-611 Improper Restriction of XML External Entity Reference"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/f1ae5779-b406-4594-a8a3-d089c68d6e70",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/f1ae5779-b406-4594-a8a3-d089c68d6e70"
},
{
"name": "https://github.com/liquibase/liquibase/commit/33d9d925082097fb1a3d2fc8e44423d964cd9381",
"refsource": "MISC",
"url": "https://github.com/liquibase/liquibase/commit/33d9d925082097fb1a3d2fc8e44423d964cd9381"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
]
},
"source": {
"advisory": "f1ae5779-b406-4594-a8a3-d089c68d6e70",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0839",
"datePublished": "2022-03-04T14:25:10.000Z",
"dateReserved": "2022-03-03T00:00:00.000Z",
"dateUpdated": "2025-11-03T19:26:41.199Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-0272 (GCVE-0-2022-0272)
Vulnerability from cvelistv5 – Published: 2022-04-21 16:20 – Updated: 2024-08-02 23:25- CWE-611 - Improper Restriction of XML External Entity Reference
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/23e37ba7-96d5-4037-a90… | x_refsource_CONFIRM |
| https://github.com/detekt/detekt/commit/c965a8d2a… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| detekt | detekt/detekt |
Affected:
unspecified , < 1.20.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:25:40.273Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/23e37ba7-96d5-4037-a90a-8c8f4a70ce44"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/detekt/detekt/commit/c965a8d2a6bbdb9bcfc6acfa7bbffd3da81f5395"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "detekt/detekt",
"vendor": "detekt",
"versions": [
{
"lessThan": "1.20.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper Restriction of XML External Entity Reference in GitHub repository detekt/detekt prior to 1.20.0."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-21T16:20:10.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/23e37ba7-96d5-4037-a90a-8c8f4a70ce44"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/detekt/detekt/commit/c965a8d2a6bbdb9bcfc6acfa7bbffd3da81f5395"
}
],
"source": {
"advisory": "23e37ba7-96d5-4037-a90a-8c8f4a70ce44",
"discovery": "EXTERNAL"
},
"title": "Improper Restriction of XML External Entity Reference in detekt/detekt",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-0272",
"STATE": "PUBLIC",
"TITLE": "Improper Restriction of XML External Entity Reference in detekt/detekt"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "detekt/detekt",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.20.0"
}
]
}
}
]
},
"vendor_name": "detekt"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper Restriction of XML External Entity Reference in GitHub repository detekt/detekt prior to 1.20.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-611 Improper Restriction of XML External Entity Reference"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/23e37ba7-96d5-4037-a90a-8c8f4a70ce44",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/23e37ba7-96d5-4037-a90a-8c8f4a70ce44"
},
{
"name": "https://github.com/detekt/detekt/commit/c965a8d2a6bbdb9bcfc6acfa7bbffd3da81f5395",
"refsource": "MISC",
"url": "https://github.com/detekt/detekt/commit/c965a8d2a6bbdb9bcfc6acfa7bbffd3da81f5395"
}
]
},
"source": {
"advisory": "23e37ba7-96d5-4037-a90a-8c8f4a70ce44",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0272",
"datePublished": "2022-04-21T16:20:10.000Z",
"dateReserved": "2022-01-18T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:25:40.273Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0265 (GCVE-0-2022-0265)
Vulnerability from cvelistv5 – Published: 2022-03-03 21:40 – Updated: 2024-08-02 23:25- CWE-611 - Improper Restriction of XML External Entity Reference
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/d63972a2-b910-480a-a86… | x_refsource_CONFIRM |
| https://github.com/hazelcast/hazelcast/commit/4d6… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| hazelcast | hazelcast/hazelcast |
Affected:
5.1-BETA-1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:25:38.846Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/d63972a2-b910-480a-a86b-d1f75d24d563"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hazelcast/hazelcast/commit/4d6b666cd0291abd618c3b95cdbb51aa4208e748"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "hazelcast/hazelcast",
"vendor": "hazelcast",
"versions": [
{
"status": "affected",
"version": "5.1-BETA-1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper Restriction of XML External Entity Reference in GitHub repository hazelcast/hazelcast in 5.1-BETA-1."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-08T09:15:46.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/d63972a2-b910-480a-a86b-d1f75d24d563"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hazelcast/hazelcast/commit/4d6b666cd0291abd618c3b95cdbb51aa4208e748"
}
],
"source": {
"advisory": "d63972a2-b910-480a-a86b-d1f75d24d563",
"discovery": "EXTERNAL"
},
"title": "Improper Restriction of XML External Entity Reference in hazelcast/hazelcast",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-0265",
"STATE": "PUBLIC",
"TITLE": "Improper Restriction of XML External Entity Reference in hazelcast/hazelcast"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "hazelcast/hazelcast",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "5.1-BETA-1"
}
]
}
}
]
},
"vendor_name": "hazelcast"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper Restriction of XML External Entity Reference in GitHub repository hazelcast/hazelcast in 5.1-BETA-1."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-611 Improper Restriction of XML External Entity Reference"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/d63972a2-b910-480a-a86b-d1f75d24d563",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/d63972a2-b910-480a-a86b-d1f75d24d563"
},
{
"name": "https://github.com/hazelcast/hazelcast/commit/4d6b666cd0291abd618c3b95cdbb51aa4208e748",
"refsource": "MISC",
"url": "https://github.com/hazelcast/hazelcast/commit/4d6b666cd0291abd618c3b95cdbb51aa4208e748"
}
]
},
"source": {
"advisory": "d63972a2-b910-480a-a86b-d1f75d24d563",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0265",
"datePublished": "2022-03-03T21:40:10.000Z",
"dateReserved": "2022-01-17T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:25:38.846Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0239 (GCVE-0-2022-0239)
Vulnerability from cvelistv5 – Published: 2022-01-17 06:15 – Updated: 2024-08-23 14:38- CWE-611 - Improper Restriction of XML External Entity Reference
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/a717aec2-5646-4a5f-ade… | x_refsource_CONFIRM |
| https://github.com/stanfordnlp/corenlp/commit/194… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| stanfordnlp | stanfordnlp/corenlp |
Affected:
unspecified , < 4.3.3
(custom)
|
|
| stanford | corenlp |
Affected:
0 , < 4.3.3
(custom)
cpe:2.3:a:stanford:corenlp:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:18:42.857Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/a717aec2-5646-4a5f-ade0-dadc25736ae3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/stanfordnlp/corenlp/commit/1940ffb938dc4f3f5bc5f2a2fd8b35aabbbae3dd"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:stanford:corenlp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "corenlp",
"vendor": "stanford",
"versions": [
{
"lessThan": "4.3.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-0239",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-23T03:55:39.631494Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-23T14:38:48.375Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "stanfordnlp/corenlp",
"vendor": "stanfordnlp",
"versions": [
{
"lessThan": "4.3.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "corenlp is vulnerable to Improper Restriction of XML External Entity Reference"
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-17T06:15:11.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/a717aec2-5646-4a5f-ade0-dadc25736ae3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/stanfordnlp/corenlp/commit/1940ffb938dc4f3f5bc5f2a2fd8b35aabbbae3dd"
}
],
"source": {
"advisory": "a717aec2-5646-4a5f-ade0-dadc25736ae3",
"discovery": "EXTERNAL"
},
"title": "Improper Restriction of XML External Entity Reference in stanfordnlp/corenlp",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-0239",
"STATE": "PUBLIC",
"TITLE": "Improper Restriction of XML External Entity Reference in stanfordnlp/corenlp"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "stanfordnlp/corenlp",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.3.3"
}
]
}
}
]
},
"vendor_name": "stanfordnlp"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "corenlp is vulnerable to Improper Restriction of XML External Entity Reference"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-611 Improper Restriction of XML External Entity Reference"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/a717aec2-5646-4a5f-ade0-dadc25736ae3",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/a717aec2-5646-4a5f-ade0-dadc25736ae3"
},
{
"name": "https://github.com/stanfordnlp/corenlp/commit/1940ffb938dc4f3f5bc5f2a2fd8b35aabbbae3dd",
"refsource": "MISC",
"url": "https://github.com/stanfordnlp/corenlp/commit/1940ffb938dc4f3f5bc5f2a2fd8b35aabbbae3dd"
}
]
},
"source": {
"advisory": "a717aec2-5646-4a5f-ade0-dadc25736ae3",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0239",
"datePublished": "2022-01-17T06:15:11.000Z",
"dateReserved": "2022-01-16T00:00:00.000Z",
"dateUpdated": "2024-08-23T14:38:48.375Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0221 (GCVE-0-2022-0221)
Vulnerability from cvelistv5 – Published: 2022-03-28 16:25 – Updated: 2024-08-02 23:18- CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')
| URL | Tags |
|---|---|
| https://www.se.com/ww/en/download/document/SEVD-2… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| Schneider Electric | SCADAPack Workbench |
Affected:
6.6.8a , < and prior
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:18:42.853Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.se.com/ww/en/download/document/SEVD-2022-087-01/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SCADAPack Workbench",
"vendor": "Schneider Electric",
"versions": [
{
"lessThan": "and prior",
"status": "affected",
"version": "6.6.8a",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could result in information disclosure when opening a malicious solution file provided by an attacker with SCADAPack Workbench. This could be exploited to pass data from local files to a remote system controlled by an attacker. Affected Product: SCADAPack Workbench (6.6.8a and prior)"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 Improper Restriction of XML External Entity Reference (\u0027XXE\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-13T15:45:26.000Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.se.com/ww/en/download/document/SEVD-2022-087-01/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cybersecurity@schneider-electric.com",
"ID": "CVE-2022-0221",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SCADAPack Workbench",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "6.6.8a",
"version_value": "and prior"
}
]
}
}
]
},
"vendor_name": "Schneider Electric"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could result in information disclosure when opening a malicious solution file provided by an attacker with SCADAPack Workbench. This could be exploited to pass data from local files to a remote system controlled by an attacker. Affected Product: SCADAPack Workbench (6.6.8a and prior)"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-611 Improper Restriction of XML External Entity Reference (\u0027XXE\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.se.com/ww/en/download/document/SEVD-2022-087-01/",
"refsource": "MISC",
"url": "https://www.se.com/ww/en/download/document/SEVD-2022-087-01/"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2022-0221",
"datePublished": "2022-03-28T16:25:26.000Z",
"dateReserved": "2022-01-13T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:18:42.853Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0219 (GCVE-0-2022-0219)
Vulnerability from cvelistv5 – Published: 2022-01-20 16:30 – Updated: 2024-08-02 23:18- CWE-611 - Improper Restriction of XML External Entity Reference
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/0d093863-29e8-4dd7-a88… | x_refsource_CONFIRM |
| https://github.com/skylot/jadx/commit/d22db30166e… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| skylot | skylot/jadx |
Affected:
unspecified , < 1.3.2
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:18:42.982Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/0d093863-29e8-4dd7-a885-64f76d50bf5e"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/skylot/jadx/commit/d22db30166e7cb369d72be41382bb63ac8b81c52"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "skylot/jadx",
"vendor": "skylot",
"versions": [
{
"lessThan": "1.3.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper Restriction of XML External Entity Reference in GitHub repository skylot/jadx prior to 1.3.2."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-20T16:30:11.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/0d093863-29e8-4dd7-a885-64f76d50bf5e"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/skylot/jadx/commit/d22db30166e7cb369d72be41382bb63ac8b81c52"
}
],
"source": {
"advisory": "0d093863-29e8-4dd7-a885-64f76d50bf5e",
"discovery": "EXTERNAL"
},
"title": "Improper Restriction of XML External Entity Reference in skylot/jadx",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-0219",
"STATE": "PUBLIC",
"TITLE": "Improper Restriction of XML External Entity Reference in skylot/jadx"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "skylot/jadx",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.3.2"
}
]
}
}
]
},
"vendor_name": "skylot"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper Restriction of XML External Entity Reference in GitHub repository skylot/jadx prior to 1.3.2."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-611 Improper Restriction of XML External Entity Reference"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/0d093863-29e8-4dd7-a885-64f76d50bf5e",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/0d093863-29e8-4dd7-a885-64f76d50bf5e"
},
{
"name": "https://github.com/skylot/jadx/commit/d22db30166e7cb369d72be41382bb63ac8b81c52",
"refsource": "MISC",
"url": "https://github.com/skylot/jadx/commit/d22db30166e7cb369d72be41382bb63ac8b81c52"
}
]
},
"source": {
"advisory": "0d093863-29e8-4dd7-a885-64f76d50bf5e",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0219",
"datePublished": "2022-01-20T16:30:11.000Z",
"dateReserved": "2022-01-13T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:18:42.982Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0198 (GCVE-0-2022-0198)
Vulnerability from cvelistv5 – Published: 2022-01-13 06:45 – Updated: 2024-08-02 23:18- CWE-611 - Improper Restriction of XML External Entity Reference
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/3d7e70fe-dddd-4b79-af6… | x_refsource_CONFIRM |
| https://github.com/stanfordnlp/corenlp/commit/1f5… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| stanfordnlp | stanfordnlp/corenlp |
Affected:
unspecified , < 4.3.3
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:18:42.562Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/3d7e70fe-dddd-4b79-af62-8e058c4d5763"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/stanfordnlp/corenlp/commit/1f52136321cfca68b991bd7870563d06cf96624d"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "stanfordnlp/corenlp",
"vendor": "stanfordnlp",
"versions": [
{
"lessThan": "4.3.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "corenlp is vulnerable to Improper Restriction of XML External Entity Reference"
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-13T06:45:10.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/3d7e70fe-dddd-4b79-af62-8e058c4d5763"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/stanfordnlp/corenlp/commit/1f52136321cfca68b991bd7870563d06cf96624d"
}
],
"source": {
"advisory": "3d7e70fe-dddd-4b79-af62-8e058c4d5763",
"discovery": "EXTERNAL"
},
"title": "Improper Restriction of XML External Entity Reference in stanfordnlp/corenlp",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-0198",
"STATE": "PUBLIC",
"TITLE": "Improper Restriction of XML External Entity Reference in stanfordnlp/corenlp"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "stanfordnlp/corenlp",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.3.3"
}
]
}
}
]
},
"vendor_name": "stanfordnlp"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "corenlp is vulnerable to Improper Restriction of XML External Entity Reference"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-611 Improper Restriction of XML External Entity Reference"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/3d7e70fe-dddd-4b79-af62-8e058c4d5763",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/3d7e70fe-dddd-4b79-af62-8e058c4d5763"
},
{
"name": "https://github.com/stanfordnlp/corenlp/commit/1f52136321cfca68b991bd7870563d06cf96624d",
"refsource": "MISC",
"url": "https://github.com/stanfordnlp/corenlp/commit/1f52136321cfca68b991bd7870563d06cf96624d"
}
]
},
"source": {
"advisory": "3d7e70fe-dddd-4b79-af62-8e058c4d5763",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0198",
"datePublished": "2022-01-13T06:45:10.000Z",
"dateReserved": "2022-01-12T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:18:42.562Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.