CWE-776
AllowedImproper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
Abstraction: Base · Status: Draft
The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.
142 vulnerabilities reference this CWE, most recent first.
GHSA-442W-6F43-74G9
Vulnerability from github – Published: 2022-05-17 19:57 – Updated: 2024-04-04 00:01The XStream extension in HP Fortify SCA before 2.2 RC3 allows remote attackers to execute arbitrary code via unsafe deserialization of XML messages.
{
"affected": [],
"aliases": [
"CVE-2014-2228"
],
"database_specific": {
"cwe_ids": [
"CWE-776"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-02-19T14:15:00Z",
"severity": "CRITICAL"
},
"details": "The XStream extension in HP Fortify SCA before 2.2 RC3 allows remote attackers to execute arbitrary code via unsafe deserialization of XML messages.",
"id": "GHSA-442w-6f43-74g9",
"modified": "2024-04-04T00:01:25Z",
"published": "2022-05-17T19:57:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-2228"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20140425095352/http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Remote-code-execution-and-XML-Entity-Expansion-injection/ba-p/6403370"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4QPC-3HR4-R2P4
Vulnerability from github – Published: 2026-05-27 21:33 – Updated: 2026-05-27 21:33Description
Symfony\Component\Yaml\Parser resolves YAML aliases (*anchor) during parsing. Aliases that reference collections (arrays, stdClass, TaggedValue-wrapped collections) can themselves point to other collections containing aliases, creating exponential expansion at resolution time. A small input can blow up into a multi-gigabyte structure and exhaust memory: the classic "Billion Laughs" denial-of-service against any parser exposed to untrusted YAML.
Resolution
The Parser now counts collection alias resolutions in a shared ParserState object, with a default limit of 128, following the SnakeYAML model. Scalar aliases remain unrestricted since they cannot drive exponential growth. The limit is configurable via a new $maxAliasesForCollections argument on Parser::__construct(), Yaml::parse() and Yaml::parseFile(). A new Yaml::PARSE_EXCEPTION_ON_ALIAS flag also rejects all aliases outright when parsing fully untrusted input.
The patch for this issue is available here for branch 5.4.
Credits
Symfony would like to thank Pietro Tirenna (Shielder) for reporting the issue and Nicolas Grekas for fixing it.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/yaml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.4.52"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.4.52"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.4.40"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.4.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/yaml"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.4.40"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/yaml"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.4.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/yaml"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45304"
],
"database_specific": {
"cwe_ids": [
"CWE-776"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-27T21:33:50Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Description\n\n`Symfony\\Component\\Yaml\\Parser` resolves YAML aliases (`*anchor`) during parsing. Aliases that reference *collections* (arrays, `stdClass`, `TaggedValue`-wrapped collections) can themselves point to other collections containing aliases, creating exponential expansion at resolution time. A small input can blow up into a multi-gigabyte structure and exhaust memory: the classic \"Billion Laughs\" denial-of-service against any parser exposed to untrusted YAML.\n\n### Resolution\n\nThe `Parser` now counts collection alias resolutions in a shared `ParserState` object, with a default limit of **128**, following the [SnakeYAML model](https://github.com/snakeyaml/snakeyaml/blob/master/src/main/java/org/yaml/snakeyaml/LoaderOptions.java). Scalar aliases remain unrestricted since they cannot drive exponential growth. The limit is configurable via a new `$maxAliasesForCollections` argument on `Parser::__construct()`, `Yaml::parse()` and `Yaml::parseFile()`. A new `Yaml::PARSE_EXCEPTION_ON_ALIAS` flag also rejects all aliases outright when parsing fully untrusted input.\n\nThe patch for this issue is available [here](https://github.com/symfony/symfony/commit/e77391b2e4f18821198f010d573674c8ed4a970a) for branch 5.4.\n\n### Credits\n\nSymfony would like to thank Pietro Tirenna (Shielder) for reporting the issue and Nicolas Grekas for fixing it.",
"id": "GHSA-4qpc-3hr4-r2p4",
"modified": "2026-05-27T21:33:50Z",
"published": "2026-05-27T21:33:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/security/advisories/GHSA-4qpc-3hr4-r2p4"
},
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/commit/e77391b2e4f18821198f010d573674c8ed4a970a"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45304.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/yaml/CVE-2026-45304.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/symfony/symfony"
},
{
"type": "WEB",
"url": "https://symfony.com/cve-2026-45304"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Symfony\u0027s YAML Parser Vulnerable to Exponential Memory Allocation via Recursive Collection-Alias Expansion (\"Billion Laughs\")"
}
GHSA-4VF2-QFG3-7598
Vulnerability from github – Published: 2024-05-30 13:10 – Updated: 2024-05-30 13:10Symfony 2.0.11 carried a [similar] XXE security fix, however, on review of ZF2 I also noted a vulnerability to XML Entity Expansion (XEE) attacks whereby all extensions making use of libxml2 have no defense against XEE Quadratic Blowup Attacks. The vulnerability is a function of there being no current method of disabling custom entities in PHP (i.e. defined internal to the XML document without using external entities). In a QBA, a long entity can be defined and then referred to multiple times in document elements, creating a memory sink with which Denial Of Service attacks against a host's RAM can be mounted. The use of the LIBXML_NOENT or equivalent option in a dependent extension amplified the impact (it doesn't actually mean "No Entities"). In addition, libxml2's innate defense against the related Exponential or Billion Laugh's XEE attacks is active only so long as the LIBXML_PARSEHUGE is NOT set (it disables libxml2's hardcoded entity recursion limit). No instances of these two options were noted, but it's worth referencing for the future.
Consider this (non-fatal) example:
<?xml version="1.0"?>
<!DOCTYPE data [<!ENTITY a
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa">]>
<data>&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;</data>
Increase the length of entity, and entity count to a few hundred, and peak memory usage will waste no time spiking the moment the nodeValue for is accessed since the entities will then be expanded by a simple multiplier effect. No external entities required.
...
This can be used in combination with the usual XXE defense of calling libxml_disable_entity_loader(TRUE) and, optionally, the LIBXML_NONET option (should local filesystem access be allowable). The DOCTYPE may be removed instead of rejecting the XML outright but this would likely result in other problems with the unresolved entities. "
If you cannot upgrade to the latest Symfony version, you can also apply this patch.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/validator"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.17"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-776"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-30T13:10:53Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "Symfony 2.0.11 carried a [similar] XXE security fix, however, on review of ZF2 I also noted a vulnerability to XML Entity Expansion (XEE) attacks whereby all extensions making use of libxml2 have no defense against XEE Quadratic Blowup Attacks. The vulnerability is a function of there being no current method of disabling custom entities in PHP (i.e. defined internal to the XML document without using external entities). In a QBA, a long entity can be defined and then referred to multiple times in document elements, creating a memory sink with which Denial Of Service attacks against a host\u0027s RAM can be mounted. The use of the LIBXML_NOENT or equivalent option in a dependent extension amplified the impact (it doesn\u0027t actually mean \"No Entities\"). In addition, libxml2\u0027s innate defense against the related Exponential or Billion Laugh\u0027s XEE attacks is active only so long as the LIBXML_PARSEHUGE is NOT set (it disables libxml2\u0027s hardcoded entity recursion limit). No instances of these two options were noted, but it\u0027s worth referencing for the future.\n\nConsider this (non-fatal) example:\n```\n\u003c?xml version=\"1.0\"?\u003e\n\u003c!DOCTYPE data [\u003c!ENTITY a\n\"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\"\u003e]\u003e\n\u003cdata\u003e\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u003c/data\u003e\n```\nIncrease the length of entity, and entity count to a few hundred, and peak memory usage will waste no time spiking the moment the nodeValue for is accessed since the entities will then be expanded by a simple multiplier effect. No external entities required.\n\n...\n\nThis can be used in combination with the usual XXE defense of calling libxml_disable_entity_loader(TRUE) and, optionally, the LIBXML_NONET option (should local filesystem access be allowable). The DOCTYPE may be removed instead of rejecting the XML outright but this would likely result in other problems with the unresolved entities. \"\n\nIf you cannot upgrade to the latest Symfony version, you can also apply this [patch](https://github.com/symfony/symfony/compare/352e8f583c87c709de197bb16c4053d2e87fd4cd...5bf4f92e86c34690d71e8f94350ec975909a435b.diff).",
"id": "GHSA-4vf2-qfg3-7598",
"modified": "2024-05-30T13:10:53Z",
"published": "2024-05-30T13:10:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/symfony/validator/commit/b5a30be97ac47181fa5c420bc70a924dff71a5c0"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/validator/2012-08-28.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/symfony/validator"
},
{
"type": "WEB",
"url": "https://symfony.com/blog/security-release-symfony-2-0-17-released"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "symfony/validator XML Entity Expansion vulnerability"
}
GHSA-5J3F-6X5J-RRV5
Vulnerability from github – Published: 2022-05-24 17:39 – Updated: 2024-11-26 18:38A vulnerability in the dashboard widget of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper restrictions on XML entities. An attacker could exploit this vulnerability by crafting an XML-based widget on an affected server. A successful exploit could cause increased memory and CPU utilization, which could result in a DoS condition.
{
"affected": [],
"aliases": [
"CVE-2021-1267"
],
"database_specific": {
"cwe_ids": [
"CWE-776"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-13T22:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the dashboard widget of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper restrictions on XML entities. An attacker could exploit this vulnerability by crafting an XML-based widget on an affected server. A successful exploit could cause increased memory and CPU utilization, which could result in a DoS condition.",
"id": "GHSA-5j3f-6x5j-rrv5",
"modified": "2024-11-26T18:38:41Z",
"published": "2022-05-24T17:39:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1267"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-xee-DFzARDcs"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-5QF9-CF9C-HJC6
Vulnerability from github – Published: 2026-06-08 15:33 – Updated: 2026-06-12 19:06When Routinator encounters a file via RRDP using a specifically crafted Document Type Definition, Routinator crashes.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.15.1"
},
"package": {
"ecosystem": "crates.io",
"name": "routinator"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.15.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-49235"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-755",
"CWE-776"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-12T19:06:16Z",
"nvd_published_at": "2026-06-08T15:16:48Z",
"severity": "HIGH"
},
"details": "When Routinator encounters a file via RRDP using a specifically crafted Document Type Definition, Routinator crashes.",
"id": "GHSA-5qf9-cf9c-hjc6",
"modified": "2026-06-12T19:06:16Z",
"published": "2026-06-08T15:33:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49235"
},
{
"type": "PACKAGE",
"url": "https://github.com/NLnetLabs/routinator"
},
{
"type": "WEB",
"url": "https://github.com/NLnetLabs/routinator/releases/tag/v0.15.2"
},
{
"type": "WEB",
"url": "https://www.nlnetlabs.nl/downloads/routinator/CVE-2026-49235.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L",
"type": "CVSS_V4"
}
],
"summary": "Routinator crashes when encountering maliciously crafted RRDP XML files"
}
GHSA-5WM2-38Q5-5RXV
Vulnerability from github – Published: 2022-05-14 00:56 – Updated: 2023-09-25 14:35Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0 allow remote attackers to cause a denial of service (CPU consumption) via (1) recursive or (2) circular references in an XML entity definition in an XML DOCTYPE declaration, aka an XML Entity Expansion (XEE) attack. NOTE: this issue exists because of an incomplete fix for CVE-2012-6532.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendframework1"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.12.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendopenid"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendrest"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendservice-audioscrobbler"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendservice-nirvanix"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendservice-slideshare"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendservice-technorati"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendservice-windowsazure"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendservice-amazon"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendservice-api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2014-2683"
],
"database_specific": {
"cwe_ids": [
"CWE-611",
"CWE-776"
],
"github_reviewed": true,
"github_reviewed_at": "2023-09-25T14:35:32Z",
"nvd_published_at": "2014-11-16T00:59:00Z",
"severity": "MODERATE"
},
"details": "Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0 allow remote attackers to cause a denial of service (CPU consumption) via (1) recursive or (2) circular references in an XML entity definition in an XML DOCTYPE declaration, aka an XML Entity Expansion (XEE) attack. NOTE: this issue exists because of an incomplete fix for CVE-2012-6532.",
"id": "GHSA-5wm2-38q5-5rxv",
"modified": "2023-09-25T14:35:32Z",
"published": "2022-05-14T00:56:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-2683"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20140419041226/http://www.securityfocus.com/bid/66358"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20150523055201/http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2014:072/?name=MDVSA-2014:072"
},
{
"type": "WEB",
"url": "http://advisories.mageia.org/MGASA-2014-0151.html"
},
{
"type": "WEB",
"url": "http://framework.zend.com/security/advisory/ZF2014-01"
},
{
"type": "WEB",
"url": "http://seclists.org/oss-sec/2014/q2/0"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2015/dsa-3265"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Several Zend Products Vulnerable to XXE and XEE attacks"
}
GHSA-5X8P-X36C-4GWR
Vulnerability from github – Published: 2022-11-04 12:00 – Updated: 2022-11-05 12:00CandidATS version 3.0.0 allows an external attacker to read arbitrary files from the server. This is possible because the application is vulnerable to XXE.
{
"affected": [],
"aliases": [
"CVE-2022-42745"
],
"database_specific": {
"cwe_ids": [
"CWE-611",
"CWE-776"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-03T20:15:00Z",
"severity": "HIGH"
},
"details": "CandidATS version 3.0.0 allows an external attacker to read arbitrary files from the server. This is possible because the application is vulnerable to XXE.",
"id": "GHSA-5x8p-x36c-4gwr",
"modified": "2022-11-05T12:00:21Z",
"published": "2022-11-04T12:00:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42745"
},
{
"type": "WEB",
"url": "https://candidats.net"
},
{
"type": "WEB",
"url": "https://fluidattacks.com/advisories/jcole"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-62QP-3FXM-9WXF
Vulnerability from github – Published: 2022-05-05 00:29 – Updated: 2023-06-09 19:45Nokogiri gem has Denial of Service via infinite loop when parsing XML documents
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "nokogiri"
},
"ranges": [
{
"events": [
{
"introduced": "1.5.0"
},
{
"fixed": "1.5.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "nokogiri"
},
"ranges": [
{
"events": [
{
"introduced": "1.6.0"
},
{
"fixed": "1.6.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2013-6460"
],
"database_specific": {
"cwe_ids": [
"CWE-776"
],
"github_reviewed": true,
"github_reviewed_at": "2023-06-09T19:45:51Z",
"nvd_published_at": "2019-11-05T15:15:00Z",
"severity": "MODERATE"
},
"details": "Nokogiri gem has Denial of Service via infinite loop when parsing XML documents",
"id": "GHSA-62qp-3fxm-9wxf",
"modified": "2023-06-09T19:45:51Z",
"published": "2022-05-05T00:29:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6460"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/cve-2013-6460"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6460"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-6460"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90058"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2013-6460.yml"
},
{
"type": "PACKAGE",
"url": "https://github.com/sparklemotion/nokogiri"
},
{
"type": "WEB",
"url": "https://security-tracker.debian.org/tracker/CVE-2013-6460"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20200229074427/https://www.securityfocus.com/bid/64513"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2013/12/27/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Nokogiri vulnerable to DoS while parsing XML documents"
}
GHSA-66WF-G54M-27M7
Vulnerability from github – Published: 2022-05-17 05:30 – Updated: 2024-02-15 21:31Cisco Unified Presence before 8.5(4) does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption, and process crash) via a crafted XML document containing a large number of nested entity references, aka Bug IDs CSCtq89842 and CSCtq88547, a similar issue to CVE-2003-1564.
{
"affected": [],
"aliases": [
"CVE-2011-3288"
],
"database_specific": {
"cwe_ids": [
"CWE-776"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2011-10-06T10:55:00Z",
"severity": "HIGH"
},
"details": "Cisco Unified Presence before 8.5(4) does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption, and process crash) via a crafted XML document containing a large number of nested entity references, aka Bug IDs CSCtq89842 and CSCtq88547, a similar issue to CVE-2003-1564.",
"id": "GHSA-66wf-g54m-27m7",
"modified": "2024-02-15T21:31:24Z",
"published": "2022-05-17T05:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-3288"
},
{
"type": "WEB",
"url": "https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20110928-xcpcupsxml.html"
},
{
"type": "WEB",
"url": "http://www.cisco.com/en/US/products/products_security_advisory09186a0080b95d47.shtml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6C4Q-J8WJ-WF2X
Vulnerability from github – Published: 2022-05-24 17:26 – Updated: 2022-05-24 17:26The Management Console in WSO2 API Manager through 3.1.0 and API Microgateway 2.2.0 allows XML External Entity injection (XXE) attacks.
{
"affected": [],
"aliases": [
"CVE-2020-24589"
],
"database_specific": {
"cwe_ids": [
"CWE-776"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-08-21T20:15:00Z",
"severity": "MODERATE"
},
"details": "The Management Console in WSO2 API Manager through 3.1.0 and API Microgateway 2.2.0 allows XML External Entity injection (XXE) attacks.",
"id": "GHSA-6c4q-j8wj-wf2x",
"modified": "2022-05-24T17:26:20Z",
"published": "2022-05-24T17:26:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24589"
},
{
"type": "WEB",
"url": "https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0742"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
If possible, prohibit the use of DTDs or use an XML parser that limits the expansion of recursive DTD entities.
Mitigation
Before parsing XML files with associated DTDs, scan for recursive entity declarations and do not continue parsing potentially explosive content.
CAPEC-197: Exponential Data Expansion
An adversary submits data to a target application which contains nested exponential data expansion to produce excessively large output. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. However, this capability can be abused to create excessive demands on a processor's CPU and memory. A small number of nested expansions can result in an exponential growth in demands on memory.