CWE-776
AllowedImproper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
Abstraction: Base · Status: Draft
The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.
142 vulnerabilities reference this CWE, most recent first.
GHSA-F4FJ-Q6M4-CC52
Vulnerability from github – Published: 2024-06-07 21:10 – Updated: 2024-06-07 21:10Numerous components utilizing PHP's DOMDocument, SimpleXML, and xml_parse functionality are vulnerable to two types of attacks:
- XML eXternal Entity (XXE) Injection attacks. The above mentioned extensions are insecure by default, allowing external entities to be specified by adding a specific DOCTYPE element to XML documents and strings. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections.
- XML Entity Expansion (XEE) vectors, leading to Denial of Service vectors. XEE attacks occur when the XML DOCTYPE declaration includes XML entity definitions that contain either recursive or circular references; this leads to CPU and memory consumption, making Denial of Service exploits trivial to implement.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zend-xmlrpc"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.0"
},
{
"fixed": "2.1.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zend-xmlrpc"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-611",
"CWE-776"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-07T21:10:24Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "Numerous components utilizing PHP\u0027s DOMDocument, SimpleXML, and xml_parse functionality are vulnerable to two types of attacks:\n\n- XML eXternal Entity (XXE) Injection attacks. The above mentioned extensions are insecure by default, allowing external entities to be specified by adding a specific DOCTYPE element to XML documents and strings. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections.\n- XML Entity Expansion (XEE) vectors, leading to Denial of Service vectors. XEE attacks occur when the XML DOCTYPE declaration includes XML entity definitions that contain either recursive or circular references; this leads to CPU and memory consumption, making Denial of Service exploits trivial to implement.",
"id": "GHSA-f4fj-q6m4-cc52",
"modified": "2024-06-07T21:10:25Z",
"published": "2024-06-07T21:10:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/zendframework/zend-xmlrpc/commit/0ee07bc62e32ddde2680a48fe13fd58c28a208aa"
},
{
"type": "WEB",
"url": "https://github.com/zendframework/zend-xmlrpc/commit/204ccbee883487e4873bce89278c48e370c21a63"
},
{
"type": "WEB",
"url": "https://github.com/zendframework/zend-xmlrpc/commit/27201f2c48acb3ab6135e8772211d9cb707693d6"
},
{
"type": "WEB",
"url": "https://github.com/zendframework/zend-xmlrpc/commit/48f20929f93df4a79254c85155aaebbbe330dc93"
},
{
"type": "WEB",
"url": "https://github.com/zendframework/zend-xmlrpc/commit/7a42486b63797a37af5c26be1bd3d4fb235a5939"
},
{
"type": "WEB",
"url": "https://github.com/zendframework/zend-xmlrpc/commit/93376258630eab4823cd5009a7230e17073feed8"
},
{
"type": "WEB",
"url": "https://framework.zend.com/security/advisory/ZF2014-01"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-xmlrpc/ZF2014-01.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/zendframework/zend-xmlrpc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "ZendFramework vulnerable to XXE/XEE attacks"
}
GHSA-F75P-X5VM-83QP
Vulnerability from github – Published: 2024-05-30 13:02 – Updated: 2024-05-30 13:02Symfony 2.0.11 carried a [similar] XXE security fix, however, on review of ZF2 I also noted a vulnerability to XML Entity Expansion (XEE) attacks whereby all extensions making use of libxml2 have no defense against XEE Quadratic Blowup Attacks. The vulnerability is a function of there being no current method of disabling custom entities in PHP (i.e. defined internal to the XML document without using external entities). In a QBA, a long entity can be defined and then referred to multiple times in document elements, creating a memory sink with which Denial Of Service attacks against a host's RAM can be mounted. The use of the LIBXML_NOENT or equivalent option in a dependent extension amplified the impact (it doesn't actually mean "No Entities"). In addition, libxml2's innate defense against the related Exponential or Billion Laugh's XEE attacks is active only so long as the LIBXML_PARSEHUGE is NOT set (it disables libxml2's hardcoded entity recursion limit). No instances of these two options were noted, but it's worth referencing for the future.
Consider this (non-fatal) example:
<?xml version="1.0"?>
<!DOCTYPE data [<!ENTITY a
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa">]>
<data>&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;</data>
Increase the length of entity, and entity count to a few hundred, and peak memory usage will waste no time spiking the moment the nodeValue for is accessed since the entities will then be expanded by a simple multiplier effect. No external entities required.
...
This can be used in combination with the usual XXE defense of calling libxml_disable_entity_loader(TRUE) and, optionally, the LIBXML_NONET option (should local filesystem access be allowable). The DOCTYPE may be removed instead of rejecting the XML outright but this would likely result in other problems with the unresolved entities. "
If you cannot upgrade to the latest Symfony version, you can also apply this patch.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/translation"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.17"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-776"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-30T13:02:41Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "Symfony 2.0.11 carried a [similar] XXE security fix, however, on review of ZF2 I also noted a vulnerability to XML Entity Expansion (XEE) attacks whereby all extensions making use of libxml2 have no defense against XEE Quadratic Blowup Attacks. The vulnerability is a function of there being no current method of disabling custom entities in PHP (i.e. defined internal to the XML document without using external entities). In a QBA, a long entity can be defined and then referred to multiple times in document elements, creating a memory sink with which Denial Of Service attacks against a host\u0027s RAM can be mounted. The use of the LIBXML_NOENT or equivalent option in a dependent extension amplified the impact (it doesn\u0027t actually mean \"No Entities\"). In addition, libxml2\u0027s innate defense against the related Exponential or Billion Laugh\u0027s XEE attacks is active only so long as the LIBXML_PARSEHUGE is NOT set (it disables libxml2\u0027s hardcoded entity recursion limit). No instances of these two options were noted, but it\u0027s worth referencing for the future.\n\nConsider this (non-fatal) example:\n```\n\u003c?xml version=\"1.0\"?\u003e\n\u003c!DOCTYPE data [\u003c!ENTITY a\n\"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\"\u003e]\u003e\n\u003cdata\u003e\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u003c/data\u003e\n```\nIncrease the length of entity, and entity count to a few hundred, and peak memory usage will waste no time spiking the moment the nodeValue for is accessed since the entities will then be expanded by a simple multiplier effect. No external entities required.\n\n...\n\nThis can be used in combination with the usual XXE defense of calling libxml_disable_entity_loader(TRUE) and, optionally, the LIBXML_NONET option (should local filesystem access be allowable). The DOCTYPE may be removed instead of rejecting the XML outright but this would likely result in other problems with the unresolved entities. \"\n\nIf you cannot upgrade to the latest Symfony version, you can also apply this [patch](https://github.com/symfony/symfony/compare/352e8f583c87c709de197bb16c4053d2e87fd4cd...5bf4f92e86c34690d71e8f94350ec975909a435b.diff).",
"id": "GHSA-f75p-x5vm-83qp",
"modified": "2024-05-30T13:02:41Z",
"published": "2024-05-30T13:02:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/symfony/translation/commit/178b3eba474a706f25473d38e23e74b048417c8d"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/translation/2012-08-28.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/symfony/translation"
},
{
"type": "WEB",
"url": "https://symfony.com/blog/security-release-symfony-2-0-17-released"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "symfony/translation XML Entity Expansion vulnerability"
}
GHSA-FCJH-XXF4-45HH
Vulnerability from github – Published: 2022-05-24 17:24 – Updated: 2022-05-24 17:24IBM UrbanCode Deploy (UCD) 6.2.7.3, 6.2.7.4, 7.0.3.0, and 7.0.4.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 181848.
{
"affected": [],
"aliases": [
"CVE-2020-4481"
],
"database_specific": {
"cwe_ids": [
"CWE-776"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-08-05T14:15:00Z",
"severity": "MODERATE"
},
"details": "IBM UrbanCode Deploy (UCD) 6.2.7.3, 6.2.7.4, 7.0.3.0, and 7.0.4.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 181848.",
"id": "GHSA-fcjh-xxf4-45hh",
"modified": "2022-05-24T17:24:59Z",
"published": "2022-05-24T17:24:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4481"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/181848"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6256128"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-FGQ9-FC3Q-VQMW
Vulnerability from github – Published: 2023-10-25 18:32 – Updated: 2023-10-31 20:21Withdrawn Advisory
This advisory has been withdrawn because the underlying vulnerability could not be reproduced. This link is maintained to preserve external references.
Original Description
An issue in dom4.j org.dom4.io.SAXReader v.2.1.4 and before allows a remote attacker to obtain sensitive information via the setFeature function.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.dom4j:dom4j"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.1.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-45960"
],
"database_specific": {
"cwe_ids": [
"CWE-776"
],
"github_reviewed": true,
"github_reviewed_at": "2023-10-27T19:50:41Z",
"nvd_published_at": "2023-10-25T18:17:35Z",
"severity": "MODERATE"
},
"details": "## Withdrawn Advisory\nThis advisory has been withdrawn because [the underlying vulnerability could not be reproduced](https://github.com/joker-xiaoyan/XXE-SAXReader/issues/1#issuecomment-1783780581). This link is maintained to preserve external references.\n\n## Original Description\nAn issue in dom4.j org.dom4.io.SAXReader v.2.1.4 and before allows a remote attacker to obtain sensitive information via the setFeature function.",
"id": "GHSA-fgq9-fc3q-vqmw",
"modified": "2023-10-31T20:21:23Z",
"published": "2023-10-25T18:32:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45960"
},
{
"type": "WEB",
"url": "https://github.com/dom4j/dom4j/issues/171#issuecomment-1781547256"
},
{
"type": "WEB",
"url": "https://github.com/joker-xiaoyan/XXE-SAXReader/issues/1"
},
{
"type": "WEB",
"url": "https://dom4j.github.io"
},
{
"type": "PACKAGE",
"url": "https://github.com/dom4j/dom4j"
},
{
"type": "WEB",
"url": "https://github.com/joker-xiaoyan/XXE-SAXReader/blob/8c0d24f9800c36c8ad36457c1df1e4aaff24c7b9/POC.java"
},
{
"type": "WEB",
"url": "https://github.com/joker-xiaoyan/XXE-SAXReader/tree/main"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Withdrawn Advisory: dom4j XML Entity Expansion vulnerability",
"withdrawn": "2023-10-31T20:21:23Z"
}
GHSA-FRQP-FR6C-CW58
Vulnerability from github – Published: 2022-05-24 17:47 – Updated: 2024-04-04 03:06The XML Import functionality of the Administration console in Perforce Helix ALM 2020.3.1 Build 22 accepts XML input data that is parsed by insecurely configured software components, leading to XXE attacks.
{
"affected": [],
"aliases": [
"CVE-2021-28973"
],
"database_specific": {
"cwe_ids": [
"CWE-611",
"CWE-776"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-13T17:15:00Z",
"severity": "MODERATE"
},
"details": "The XML Import functionality of the Administration console in Perforce Helix ALM 2020.3.1 Build 22 accepts XML input data that is parsed by insecurely configured software components, leading to XXE attacks.",
"id": "GHSA-frqp-fr6c-cw58",
"modified": "2024-04-04T03:06:04Z",
"published": "2022-05-24T17:47:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28973"
},
{
"type": "WEB",
"url": "https://www.compass-security.com/fileadmin/Research/Advisories/2021-01_CSNC-2021-005_Helix_ALM_XXE.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G2RW-3CC4-QQ38
Vulnerability from github – Published: 2022-05-24 17:08 – Updated: 2022-05-24 17:08The OpenID client application in Atlassian Crowd before version 3.6.2, and from version 3.7.0 before 3.7.1 allows remote attackers to perform a Denial of Service attack via an XML Entity Expansion vulnerability.
{
"affected": [],
"aliases": [
"CVE-2019-20104"
],
"database_specific": {
"cwe_ids": [
"CWE-776"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-02-06T03:15:00Z",
"severity": "MODERATE"
},
"details": "The OpenID client application in Atlassian Crowd before version 3.6.2, and from version 3.7.0 before 3.7.1 allows remote attackers to perform a Denial of Service attack via an XML Entity Expansion vulnerability.",
"id": "GHSA-g2rw-3cc4-qq38",
"modified": "2022-05-24T17:08:08Z",
"published": "2022-05-24T17:08:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20104"
},
{
"type": "WEB",
"url": "https://jira.atlassian.com/browse/CWD-5526"
},
{
"type": "WEB",
"url": "https://zeroauth.ltd/blog/2020/02/07/cve-2019-20104-atlassian-crowd-openid-client-vulnerable-to-remote-dos-via-xml-entity-expansion"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-G43W-98WP-M694
Vulnerability from github – Published: 2024-05-23 14:49 – Updated: 2024-05-23 14:49A low level vulnerability has been found in the SilverStripe framework, where the Quadratic Blowup Attack could potentially be exploited to affect the performance of a site.
See http://mashable.com/2014/08/06/wordpress-xml-blowup-dos/ for a writeup.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.1.11"
},
"package": {
"ecosystem": "Packagist",
"name": "silverstripe/framework"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-776"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-23T14:49:39Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "A low level vulnerability has been found in the SilverStripe framework, where the Quadratic Blowup Attack could potentially be exploited to affect the performance of a site.\n\nSee http://mashable.com/2014/08/06/wordpress-xml-blowup-dos/ for a writeup.",
"id": "GHSA-g43w-98wp-m694",
"modified": "2024-05-23T14:49:39Z",
"published": "2024-05-23T14:49:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/silverstripe/silverstripe-framework/commit/7f983c2bae1dc78ca7217e9af364b2fb71dcefe8"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2014-017-1.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/silverstripe/silverstripe-framework"
},
{
"type": "WEB",
"url": "https://www.silverstripe.org/software/download/security-releases/ss-2014-017-xml-quadratic-blowup-attack"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "SilverStripe framework XML Quadratic Blowup Attack"
}
GHSA-G5MJ-C26G-VMPM
Vulnerability from github – Published: 2023-01-26 21:30 – Updated: 2023-02-03 20:36Jenkins TestComplete support Plugin 2.8.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.8.1"
},
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:TestComplete"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-24443"
],
"database_specific": {
"cwe_ids": [
"CWE-611",
"CWE-776"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-27T01:00:03Z",
"nvd_published_at": "2023-01-26T21:18:00Z",
"severity": "CRITICAL"
},
"details": "Jenkins TestComplete support Plugin 2.8.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.",
"id": "GHSA-g5mj-c26g-vmpm",
"modified": "2023-02-03T20:36:33Z",
"published": "2023-01-26T21:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24443"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/testcomplete-plugin/commit/971003ea578a090ed9a5b9487acb9d2aa93645d3"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/testcomplete-plugin/commit/cfb0fc3cd807cb72c24424cef98ce39710f2e5fb"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2741"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "XML Entity Expansion in Jenkins TestComplete support Plugin"
}
GHSA-G8Q7-XV52-HF9F
Vulnerability from github – Published: 2020-01-28 22:37 – Updated: 2024-09-20 17:44Impact
The feedgen library allows supplying XML as content for some of the available fields. This XML will be parsed and integrated into the existing XML tree. During this process, feedgen is vulnerable to XML Denial of Service Attacks (e.g. XML Bomb).
This becomes a concern in particular if feedgen is used to include content from untrused sources and if XML (including XHTML) is directly included instead of providing plain tex content only.
Patches
This problem has been fixed in feedgen 0.9.0 which disallows XML entity expansion and external resources.
Workarounds
Updating is strongly recommended and should not be problematic. Nevertheless, as a workaround, avoid providing XML directly to feedgen or ensure that no entity expansion is part of the XML.
References
For more information
If you have any questions or comments about this advisory: - Open an issue in lkiesow/python-feedgen - Send an email to security@lkiesow.de
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "feedgen"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-5227"
],
"database_specific": {
"cwe_ids": [
"CWE-776"
],
"github_reviewed": true,
"github_reviewed_at": "2020-01-28T22:34:51Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\n\nThe *feedgen* library allows supplying XML as content for some of the available fields. This XML will be parsed and integrated into the existing XML tree. During this process, feedgen is vulnerable to [XML Denial of Service Attacks](https://docs.microsoft.com/en-us/archive/msdn-magazine/2009/november/xml-denial-of-service-attacks-and-defenses) (e.g. XML Bomb).\n\nThis becomes a concern in particular if feedgen is used to include content from untrused sources and if XML (including XHTML) is directly included instead of providing plain tex content only.\n\n### Patches\n\nThis problem has been fixed in feedgen 0.9.0 which disallows XML entity expansion and external resources.\n\n### Workarounds\n\nUpdating is strongly recommended and should not be problematic. Nevertheless, as a workaround, avoid providing XML directly to feedgen or ensure that no entity expansion is part of the XML. \n\n### References\n\n- [Security Briefs - XML Denial of Service Attacks and Defenses](https://docs.microsoft.com/en-us/archive/msdn-magazine/2009/november/xml-denial-of-service-attacks-and-defenses)\n- [Billion laughs attack](https://en.wikipedia.org/wiki/Billion_laughs_attack#cite_note-2)\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n- Open an issue in [lkiesow/python-feedgen](https://github.com/lkiesow/python-feedgen/issues)\n- Send an email to security@lkiesow.de",
"id": "GHSA-g8q7-xv52-hf9f",
"modified": "2024-09-20T17:44:21Z",
"published": "2020-01-28T22:37:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/lkiesow/python-feedgen/security/advisories/GHSA-g8q7-xv52-hf9f"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5227"
},
{
"type": "WEB",
"url": "https://github.com/lkiesow/python-feedgen/commit/f57a01b20fa4aaaeccfa417f28e66b4084b9d0cf"
},
{
"type": "WEB",
"url": "https://docs.microsoft.com/en-us/archive/msdn-magazine/2009/november/xml-denial-of-service-attacks-and-defenses"
},
{
"type": "PACKAGE",
"url": "https://github.com/lkiesow/python-feedgen"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/feedgen/PYSEC-2020-231.yaml"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T6I5ENUYGFNMIH6ZQ62FZ6VU2WD3SIOI"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Feedgen Vulnerable to XML Denial of Service Attacks"
}
GHSA-GP39-H9C2-QW79
Vulnerability from github – Published: 2022-05-14 00:56 – Updated: 2023-09-25 14:47Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0, when PHP-FPM is used, does not properly share the libxml_disable_entity_loader setting between threads, which might allow remote attackers to conduct XML External Entity (XXE) attacks via an XML external entity declaration in conjunction with an entity reference. NOTE: this issue exists because of an incomplete fix for CVE-2012-5657.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendframework1"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.12.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendopenid"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendrest"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendservice-audioscrobbler"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendservice-nirvanix"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendservice-slideshare"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendservice-technorati"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendservice-windowsazure"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendservice-amazon"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendservice-api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2014-2682"
],
"database_specific": {
"cwe_ids": [
"CWE-611",
"CWE-776"
],
"github_reviewed": true,
"github_reviewed_at": "2023-09-25T14:47:31Z",
"nvd_published_at": "2014-11-16T00:59:00Z",
"severity": "MODERATE"
},
"details": "Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0, when PHP-FPM is used, does not properly share the libxml_disable_entity_loader setting between threads, which might allow remote attackers to conduct XML External Entity (XXE) attacks via an XML external entity declaration in conjunction with an entity reference. NOTE: this issue exists because of an incomplete fix for CVE-2012-5657.",
"id": "GHSA-gp39-h9c2-qw79",
"modified": "2023-09-25T14:47:31Z",
"published": "2022-05-14T00:56:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-2682"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20140419041226/http://www.securityfocus.com/bid/66358"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20150523055201/http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2014:072/?name=MDVSA-2014:072"
},
{
"type": "WEB",
"url": "http://advisories.mageia.org/MGASA-2014-0151.html"
},
{
"type": "WEB",
"url": "http://framework.zend.com/security/advisory/ZF2014-01"
},
{
"type": "WEB",
"url": "http://seclists.org/oss-sec/2014/q2/0"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2015/dsa-3265"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Several Zend Products Vulnerable to XXE and XEE attacks"
}
Mitigation
If possible, prohibit the use of DTDs or use an XML parser that limits the expansion of recursive DTD entities.
Mitigation
Before parsing XML files with associated DTDs, scan for recursive entity declarations and do not continue parsing potentially explosive content.
CAPEC-197: Exponential Data Expansion
An adversary submits data to a target application which contains nested exponential data expansion to produce excessively large output. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. However, this capability can be abused to create excessive demands on a processor's CPU and memory. A small number of nested expansions can result in an exponential growth in demands on memory.