CVE-2014-2055
Description
SabreDAV before 1.7.11 (used in ownCloud) allows remote XXE attacks leading to file disclosure, DoS, or other impact.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SabreDAV before 1.7.11 (used in ownCloud) allows remote XXE attacks leading to file disclosure, DoS, or other impact.
Vulnerability
SabreDAV versions before 1.7.11, as integrated in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, contain an XML External Entity (XXE) vulnerability in the XML parsing functions. The issue affects parseMultiStatus, parseLockRequest, and loadDOMDocument methods, which use simplexml_load_string or DOMDocument::loadXML without disabling external entity loading on PHP versions older than 5.3.23 or 5.4.13 [2][3]. This allows an attacker to inject malicious XML entities.
Exploitation
An attacker can send a crafted XML request to a SabreDAV endpoint (e.g., PROPFIND, LOCK) containing an external entity reference pointing to a local file or a network resource. No authentication is required; the attack is remote over HTTP. The XML parser will attempt to resolve the entity, reading the file or causing a denial of service via entity expansion [1][2].
Impact
Successful exploitation allows an attacker to read arbitrary files from the server filesystem (information disclosure), cause a denial of service by consuming resources (e.g., via recursive entity expansion), or potentially achieve other impacts depending on the server environment [1]. The vulnerability is classified as CWE-611 (Improper Restriction of XML External Entity Reference).
Mitigation
The fix was released in SabreDAV version 1.7.11 on 2014-02-26 [3][4]. Users should upgrade to SabreDAV 1.7.11 or later. For ownCloud, upgrade to version 5.0.15 or 6.0.2. The commit disables external entity loading using libxml_disable_entity_loader(true) before parsing XML [3]. No workaround is available for unpatched versions.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sabre/davPackagist | >= 1.6.0, < 1.7.11 | 1.7.11 |
sabre/davPackagist | >= 1.8.0, < 1.8.9 | 1.8.9 |
Affected products
50cpe:2.3:a:fruux:sabredav:*:*:*:*:*:*:*:*+ 30 more
- cpe:2.3:a:fruux:sabredav:*:*:*:*:*:*:*:*range: <=1.7.10
- cpe:2.3:a:fruux:sabredav:1.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:fruux:sabredav:1.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:fruux:sabredav:1.6.10:*:*:*:*:*:*:*
- cpe:2.3:a:fruux:sabredav:1.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:fruux:sabredav:1.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:fruux:sabredav:1.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:fruux:sabredav:1.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:fruux:sabredav:1.6.6:*:*:*:*:*:*:*
- cpe:2.3:a:fruux:sabredav:1.6.7:*:*:*:*:*:*:*
- cpe:2.3:a:fruux:sabredav:1.6.8:*:*:*:*:*:*:*
- cpe:2.3:a:fruux:sabredav:1.6.9:*:*:*:*:*:*:*
- cpe:2.3:a:fruux:sabredav:1.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:fruux:sabredav:1.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:fruux:sabredav:1.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:fruux:sabredav:1.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:fruux:sabredav:1.7.4:*:*:*:*:*:*:*
- cpe:2.3:a:fruux:sabredav:1.7.5:*:*:*:*:*:*:*
- cpe:2.3:a:fruux:sabredav:1.7.6:*:*:*:*:*:*:*
- cpe:2.3:a:fruux:sabredav:1.7.7:*:*:*:*:*:*:*
- cpe:2.3:a:fruux:sabredav:1.7.8:*:*:*:*:*:*:*
- cpe:2.3:a:fruux:sabredav:1.7.9:*:*:*:*:*:*:*
- cpe:2.3:a:fruux:sabredav:1.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:fruux:sabredav:1.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:fruux:sabredav:1.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:fruux:sabredav:1.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:fruux:sabredav:1.8.4:*:*:*:*:*:*:*
- cpe:2.3:a:fruux:sabredav:1.8.5:*:*:*:*:*:*:*
- cpe:2.3:a:fruux:sabredav:1.8.6:*:*:*:*:*:*:*
- cpe:2.3:a:fruux:sabredav:1.8.7:*:*:*:*:*:*:*
- cpe:2.3:a:fruux:sabredav:1.8.9:*:*:*:*:*:*:*
cpe:2.3:a:owncloud:owncloud_server:5.0.0:*:*:*:*:*:*:*+ 17 more
- cpe:2.3:a:owncloud:owncloud_server:5.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:5.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:5.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:5.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:5.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:5.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:5.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:5.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:5.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:5.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:5.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:5.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:5.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:5.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:6.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:6.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:*:a:*:*:*:*:*:*range: <=5.0.14
Patches
14 files changed · +19 −2
ChangeLog+2 −1 modified@@ -1,5 +1,6 @@ -1.7.11-stable (2014-??-??) +1.7.11-stable (2014-02-26) * Fixed: Issue #407: large downloads failed. + * Fixed: Issue #414: XXE security problem on older PHP versions. 1.7.10-stable (2014-02-09) * The zip release ships with sabre/vobject 2.1.3.
lib/Sabre/DAV/Client.php+5 −0 modified@@ -530,7 +530,12 @@ public function parseMultiStatus($body) { $body = Sabre_DAV_XMLUtil::convertDAVNamespace($body); + // Fixes an XXE vulnerability on PHP versions older than 5.3.23 or + // 5.4.13. + $previous = libxml_disable_entity_loader(true); $responseXML = simplexml_load_string($body, null, LIBXML_NOBLANKS | LIBXML_NOCDATA); + libxml_disable_entity_loader($previous); + if ($responseXML===false) { throw new InvalidArgumentException('The passed data is not valid XML'); }
lib/Sabre/DAV/Locks/Plugin.php+7 −0 modified@@ -619,10 +619,17 @@ public function getIfConditions() { */ protected function parseLockRequest($body) { + // Fixes an XXE vulnerability on PHP versions older than 5.3.23 or + // 5.4.13. + $previous = libxml_disable_entity_loader(true); + + $xml = simplexml_load_string( Sabre_DAV_XMLUtil::convertDAVNamespace($body), null, LIBXML_NOWARNING); + libxml_disable_entity_loader($previous); + $xml->registerXPathNamespace('d','urn:DAV'); $lockInfo = new Sabre_DAV_Locks_LockInfo();
lib/Sabre/DAV/XMLUtil.php+5 −1 modified@@ -113,6 +113,9 @@ static function loadDOMDocument($xml) { // Retaining old error setting $oldErrorSetting = libxml_use_internal_errors(true); + // Fixes an XXE vulnerability on PHP versions older than 5.3.23 or + // 5.4.13. + $oldEntityLoaderSetting = libxml_disable_entity_loader(true); // Clearing any previous errors libxml_clear_errors(); @@ -121,7 +124,7 @@ static function loadDOMDocument($xml) { // We don't generally care about any whitespace $dom->preserveWhiteSpace = false; - + $dom->loadXML(self::convertDAVNamespace($xml),LIBXML_NOWARNING | LIBXML_NOERROR); if ($error = libxml_get_last_error()) { @@ -131,6 +134,7 @@ static function loadDOMDocument($xml) { // Restoring old mechanism for error handling if ($oldErrorSetting===false) libxml_use_internal_errors(false); + if ($oldEntityLoaderSetting===false) libxml_disable_entity_loader(true); return $dom;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- owncloud.org/about/security/advisories/oC-SA-2014-006/nvdVendor Advisory
- github.com/advisories/GHSA-qm4x-ch5w-gr62ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2014-2055ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/sabre/dav/CVE-2014-2055.yamlghsaWEB
- github.com/fruux/sabre-dav/releases/tag/1.7.11nvdWEB
- github.com/sabre-io/dav/commit/e3f46e0ecf83cf1d2ebf54908cde7b5ec170aa2cghsaWEB
- github.com/sabre-io/dav/issues/414ghsaWEB
News mentions
0No linked articles in our index yet.