Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-611 (XML外部实体引用的不恰当限制(XXE)) — Vulnerability Class 424

424 vulnerabilities classified as CWE-611 (XML外部实体引用的不恰当限制(XXE)). AI Chinese analysis included.

CWE-611 represents a critical input validation weakness where applications improperly process XML documents containing external entity references. Attackers typically exploit this vulnerability by injecting malicious XML payloads that reference local files, remote servers, or internal network resources. This allows adversaries to perform server-side request forgery, read sensitive system files, or execute denial-of-service attacks by forcing the application to resolve dangerous URIs. To mitigate this risk, developers must rigorously disable XML external entity processing in their parsers. Implementing strict input validation, using safe XML libraries that inherently block external entities, and configuring parsers to reject any DTD or entity definitions are essential defensive measures. By ensuring that XML processors only handle expected, internal content, organizations can effectively prevent unauthorized data access and maintain the integrity of their systems against these sophisticated injection attacks.

MITRE CWE Description
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Common Consequences (3)
ConfidentialityRead Application Data, Read Files or Directories
If the attacker is able to include a crafted DTD and a default entity resolver is enabled, the attacker may be able to access arbitrary files on the system. By submitting an XML file that defines an external entity with a file:// URI, an attacker can cause the processing application to read the co…
IntegrityBypass Protection Mechanism
An attacker may supply a crafted DTD using URIs with schemes such as http://, forcing the application to make outgoing HTTP requests to servers that the attacker cannot reach directly, which can be used to bypass firewall restrictions; hide the source of attacks such as port scanning; or otherwise l…
AvailabilityDoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)
The product could consume excessive CPU cycles or memory using a URI that points to a large file, or a device that always returns data such as /dev/random. Alternately, the URI could reference a file that contains many nested or recursive entity references to further slow down parsing.
Mitigations (1)
Implementation, System ConfigurationMany XML parsers and validators can be configured to disable external entity expansion.
CVE IDTitleCVSSSeverityPublished
CVE-2022-0839 Improper Restriction of XML External Entity Reference in liquibase/liquibase — liquibase/liquibase 9.1 -2022-03-04
CVE-2022-0265 Improper Restriction of XML External Entity Reference in hazelcast/hazelcast — hazelcast/hazelcast 9.1 -2022-03-03
CVE-2022-23640 Improper Restriction of XML External Entity Reference in Excel-Streaming-Reader — excel-streaming-reader 9.8 Critical2022-03-02
CVE-2020-14478 IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611 — FactoryTalk Services Platform 7.1 -2022-02-24
CVE-2022-23031 F5 BIG-IP 代码问题漏洞 — BIG-IP FPS, ASM, and Advanced WAF 4.9 -2022-01-25
CVE-2022-0219 Improper Restriction of XML External Entity Reference in skylot/jadx — skylot/jadx 6.2 -2022-01-20
CVE-2022-0239 Improper Restriction of XML External Entity Reference in stanfordnlp/corenlp — stanfordnlp/corenlp 8.4 -2022-01-17
CVE-2021-40722 AEM Forms Improper Restriction of XML External Entity Reference — Experience Manager 9.8 Critical2022-01-13
CVE-2022-0198 Improper Restriction of XML External Entity Reference in stanfordnlp/corenlp — stanfordnlp/corenlp 8.4 -2022-01-13
CVE-2021-3836 Improper Restriction of XML External Entity Reference in dbeaver/dbeaver — dbeaver/dbeaver 7.1 -2021-12-14
CVE-2021-3869 Improper Restriction of XML External Entity Reference in stanfordnlp/corenlp — stanfordnlp/corenlp 8.4 -2021-10-19
CVE-2021-3878 Improper Restriction of XML External Entity Reference in stanfordnlp/corenlp — stanfordnlp/corenlp 8.4 -2021-10-15
CVE-2021-40500 SAP BusinessObjects Business Intelligence Platform和SAP BusinessObjects Business Intelligence Platform 代码问题漏洞 — SAP BusinessObjects Business Intelligence Platform (Crystal Reports) 7.5 -2021-10-12
CVE-2021-40439 Billion Laughs — Apache OpenOffice 8.1 -2021-10-07
CVE-2021-34706 Cisco Identity Services Engine XML External Entity Injection Vulnerability — Cisco Identity Services Engine Software 6.4 Medium2021-10-06
CVE-2021-41098 Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby — nokogiri 7.5 -2021-09-27
CVE-2021-40356 Teamcenter 代码问题漏洞 — Teamcenter V12.4 7.5 -2021-09-14
CVE-2021-3055 PAN-OS: XML External Entity (XXE) Reference Vulnerability in the PAN-OS Web Interface — PAN-OS 6.5 Medium2021-09-08
CVE-2021-34436 Eclipse Theia 代码问题漏洞 — Eclipse Theia 9.8 -2021-09-02
CVE-2021-37178 Siemens Solid Edge 代码问题漏洞 — Solid Edge SE2021 5.5 -2021-08-10
CVE-2020-5323 DELL EMC OpenManage Enterprise和DELL EMC OpenManage Enterprise-Modular 注入漏洞 — Dell OpenManage Enterprise 5.4 Medium2021-07-19
CVE-2019-3752 Dell EMC Avamar Server和EMC Integrated Data Protection Appliance 代码问题漏洞 — Avamar 8.2 -2021-07-16
CVE-2021-32754 Improper Restriction of XML External Entity Reference in de.tud.sse — FlowDroid 5.3 Medium2021-07-12
CVE-2012-1102 XML-Atom 代码问题漏洞 — perl-xml-atom 7.5 -2021-07-09
CVE-2021-32972 Panasonic FPWIN Pro 代码问题漏洞 — Panasonic FPWIN Pro 5.5 -2021-07-09
CVE-2021-29620 XXE vulnerability on Launch import with externally-defined DTD file — reportportal 7.5 High2021-06-23
CVE-2021-27492 Siemens Solid Edge 代码问题漏洞 — Datakit Software libraries embedded in Luxion KeyShot software 5.5 -2021-05-27
CVE-2021-22140 Elastic App Search web crawler 代码问题漏洞 — Elastic App Search 7.5 -2021-05-13
CVE-2021-1530 Cisco BroadWorks Messaging Server XML External Entity Injection Vulnerability — Cisco BroadWorks 5.4 Medium2021-05-06
CVE-2021-1369 Cisco Firepower Device Manager On-Box Software XML External Entity Vulnerability — Cisco Firepower Threat Defense Software 5.4 Medium2021-04-29

Vulnerabilities classified as CWE-611 (XML外部实体引用的不恰当限制(XXE)) represent 424 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.