Unrated severityNVD Advisory· Published Oct 23, 2019· Updated Aug 5, 2024
CVE-2019-18213
CVE-2019-18213
Description
XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML Language Support (aka vscode-xml) before 0.9.1 for Visual Studio and other products, allows XXE via a crafted XML document, with resultant SSRF (as well as SMB connection initiation that can lead to NetNTLM challenge/response capture for password cracking). This occurs in extensions/contentmodel/participants/diagnostics/LSPXMLParserConfiguration.java.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Red Hat XML Language Support extension (vscode-xml) before 0.9.1, based on lsp4xml before 0.9.1, is vulnerable to XXE via a crafted XML document, leading to SSRF and NetNTLM capture.
Vulnerability
CVE-2019-18213 is an XML External Entity (XXE) vulnerability in the lsp4xml library (also known as XML Language Server) before version 0.9.1, which is used as the core of the Red Hat XML Language Support extension (vscode-xml) for Visual Studio Code, as well as other products. The vulnerability resides in the file extensions/contentmodel/participants/diagnostics/LSPXMLParserConfiguration.java and is triggered when the XML parser processes a crafted XML document containing external entities. Affected versions are lsp4xml and vscode-xml before 0.9.1 [1][2][3][4].
Exploitation
An attacker can exploit this vulnerability by convincing a victim to open a malicious XML file in Visual Studio Code (or another affected IDE) with the vulnerable extension enabled. No special network position or authentication is required; the exploit is client-side, triggered automatically when the XML file is parsed for validation or syntax highlighting. The attacker supplies an XML payload that references an external DTD or entity, leading to XXE. The attack sequence involves crafting a malicious XML document and delivering it (e.g., via email, web download, or repository) to a target who opens it with the affected extension [4].
Impact
Successful exploitation allows an attacker to perform Server-Side Request Forgery (SSRF) and potentially initiate SMB connections to capture NetNTLM challenge/response hashes, which can be used for password cracking. This can lead to information disclosure, such as reading local files or internal network resources, and may facilitate lateral movement if NetNTLM credentials are cracked. The scope of compromise includes the user's machine and internal networks reachable from that machine [1][4].
Mitigation
Upgrade lsp4xml to version 0.9.1 or later, and upgrade vscode-xml to version 0.9.1 or later, both released on or before 2019-10-23 [1]. Patched versions address the XXE by disabling external entity processing in the XML parser configuration. No workarounds are documented; users should update immediately. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of this writing.
References
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- XML Language Server/XML Language Serverdescription
- Range: <0.9.1
- Range: <0.9.1
Patches
2bfbd50a13179Update CHANGELOG for 0.9.1
1 file changed · +18 −0
CHANGELOG.md+18 −0 modified@@ -1,5 +1,23 @@ # Change Log +## [0.9.1](https://github.com/angelozerr/lsp4xml/milestone/11?closed=1) (October 17, 2019) + +### Bug Fixes + + * XSD: IntelliSense and element substitutions. See [#568](https://github.com/angelozerr/lsp4xml/pull/568) + * Completion doesn't use file cache for included XML schema. See [#570](https://github.com/angelozerr/lsp4xml/pull/570) + * Prevent from NPE validation with schemaLocaton and "schema.reference.4" error. See [#569](https://github.com/angelozerr/lsp4xml/pull/569) + +### Performance + + * Improve performance and memory for validation by caching XML Schema / DTD. See [#534](https://github.com/angelozerr/lsp4xml/issues/534) + +### Others + + * Update lsp4j version to 0.8.1. See [#571](https://github.com/angelozerr/lsp4xml/pull/571) + * Reject download of resource which are not in the cache folder. See [#567](https://github.com/angelozerr/lsp4xml/pull/567) + * Add disallowDocTypeDecl & resolveExternalEntities validation settings. See [#566](https://github.com/angelozerr/lsp4xml/pull/566) + ## [0.9.0](https://github.com/angelozerr/lsp4xml/milestone/10?closed=1) (September 10, 2019) ### Enhancements
d172c4daff4cAdd disallowDocTypeDecl & resolveExternalEntities validation settings.
5 files changed · +104 −24
org.eclipse.lsp4xml/src/main/java/org/eclipse/lsp4xml/extensions/contentmodel/participants/diagnostics/LSPXMLParserConfiguration.java+10 −1 modified@@ -14,6 +14,7 @@ import org.apache.xerces.xni.XNIException; import org.apache.xerces.xni.parser.XMLComponentManager; import org.apache.xerces.xni.parser.XMLConfigurationException; +import org.eclipse.lsp4xml.extensions.contentmodel.settings.XMLValidationSettings; /** * Custom Xerces XML parser configuration to : @@ -27,8 +28,16 @@ class LSPXMLParserConfiguration extends XIncludeAwareParserConfiguration { private final boolean disableDTDValidation; - public LSPXMLParserConfiguration(boolean disableDTDValidation) { + public LSPXMLParserConfiguration(boolean disableDTDValidation, XMLValidationSettings validationSettings) { this.disableDTDValidation = disableDTDValidation; + // Disable DOCTYPE declaration if settings is set to true. + boolean disallowDocTypeDecl = validationSettings != null ? validationSettings.isDisallowDocTypeDecl() : false; + super.setFeature("http://apache.org/xml/features/disallow-doctype-decl", disallowDocTypeDecl); + // Resolve external entities if settings is set to true. + boolean resolveExternalEntities = validationSettings != null ? validationSettings.isResolveExternalEntities() + : false; + super.setFeature("http://xml.org/sax/features/external-general-entities", resolveExternalEntities); + super.setFeature("http://xml.org/sax/features/external-parameter-entities", resolveExternalEntities); } @Override
org.eclipse.lsp4xml/src/main/java/org/eclipse/lsp4xml/extensions/contentmodel/participants/diagnostics/XMLValidator.java+6 −9 modified@@ -60,13 +60,11 @@ public class XMLValidator { public static void doDiagnostics(DOMDocument document, XMLEntityResolver entityResolver, List<Diagnostic> diagnostics, ContentModelSettings contentModelSettings, CancelChecker monitor) { try { - // It should be better to cache XML Schema with XMLGrammarCachingConfiguration, - // but we cannot use - // XMLGrammarCachingConfiguration because cache is done with target namespaces. - // There are conflicts when - // 2 XML Schemas don't define target namespaces. + XMLValidationSettings validationSettings = contentModelSettings != null + ? contentModelSettings.getValidation() + : null; LSPXMLParserConfiguration configuration = new LSPXMLParserConfiguration( - isDisableOnlyDTDValidation(document)); + isDisableOnlyDTDValidation(document), validationSettings); if (entityResolver != null) { configuration.setProperty("http://apache.org/xml/properties/internal/entity-resolver", entityResolver); //$NON-NLS-1$ @@ -87,9 +85,6 @@ public static void doDiagnostics(DOMDocument document, XMLEntityResolver entityR boolean hasGrammar = document.hasGrammar(); // If diagnostics for Schema preference is enabled - XMLValidationSettings validationSettings = contentModelSettings != null - ? contentModelSettings.getValidation() - : null; if ((validationSettings == null) || validationSettings.isSchema()) { checkExternalSchema(document.getExternalSchemaLocation(), parser); @@ -211,6 +206,8 @@ public String setupCurrentEntity(String name, XMLInputSource xmlInputSource, boo SAXParser parser = new SAXParser(configuration); parser.setProperty("http://apache.org/xml/properties/internal/entity-manager", entityManager); + parser.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", true); + InputSource inputSource = new InputSource(); inputSource.setByteStream(new ByteArrayInputStream(xml.getBytes(StandardCharsets.UTF_8))); inputSource.setSystemId(document.getDocumentURI());
org.eclipse.lsp4xml/src/main/java/org/eclipse/lsp4xml/extensions/contentmodel/participants/XMLSyntaxErrorCode.java+11 −9 modified@@ -20,6 +20,7 @@ import org.apache.xerces.xni.XMLLocator; import org.eclipse.lsp4j.Range; import org.eclipse.lsp4xml.dom.DOMDocument; +import org.eclipse.lsp4xml.dom.DOMDocumentType; import org.eclipse.lsp4xml.extensions.contentmodel.participants.codeactions.ElementUnterminatedCodeAction; import org.eclipse.lsp4xml.extensions.contentmodel.participants.codeactions.EqRequiredInAttributeCodeAction; import org.eclipse.lsp4xml.extensions.contentmodel.participants.codeactions.OpenQuoteExpectedCodeAction; @@ -34,11 +35,10 @@ * */ public enum XMLSyntaxErrorCode implements IXMLErrorCode { - + AttributeNotUnique, // https://wiki.xmldation.com/Support/Validator/AttributeNotUnique AttributeNSNotUnique, // https://wiki.xmldation.com/Support/Validator/AttributeNSNotUnique - AttributePrefixUnbound, - ContentIllegalInProlog, // https://wiki.xmldation.com/Support/Validator/ContentIllegalInProlog + AttributePrefixUnbound, ContentIllegalInProlog, // https://wiki.xmldation.com/Support/Validator/ContentIllegalInProlog DashDashInComment, // https://wiki.xmldation.com/Support/Validator/DashDashInComment ElementUnterminated, // https://wiki.xmldation.com/Support/Validator/ElementUnterminated ElementPrefixUnbound, // https://wiki.xmldation.com/Support/Validator/ElementPrefixUnbound @@ -47,12 +47,11 @@ public enum XMLSyntaxErrorCode implements IXMLErrorCode { ETagRequired, // https://wiki.xmldation.com/Support/Validator/ETagRequired ETagUnterminated, // https://wiki.xmldation.com/Support/Validator/ETagUnterminated EqRequiredInAttribute, // https://wiki.xmldation.com/Support/Validator/EqRequiredInAttribute - the_element_type_lmsg("the-element-type-lmsg"), EqRequiredInXMLDecl, IllegalQName, - InvalidCommentStart, LessthanInAttValue, MarkupEntityMismatch, MarkupNotRecognizedInContent, - NameRequiredInReference, OpenQuoteExpected, PITargetRequired, PseudoAttrNameExpected, QuoteRequiredInXMLDecl, - RootElementTypeMustMatchDoctypedecl, SDDeclInvalid, SpaceRequiredBeforeEncodingInXMLDecl, - SpaceRequiredBeforeStandalone, SpaceRequiredInPI,VersionInfoRequired, VersionNotSupported, - XMLDeclUnterminated, CustomETag, PrematureEOF; + the_element_type_lmsg("the-element-type-lmsg"), EqRequiredInXMLDecl, IllegalQName, InvalidCommentStart, + LessthanInAttValue, MarkupEntityMismatch, MarkupNotRecognizedInContent, NameRequiredInReference, OpenQuoteExpected, + PITargetRequired, PseudoAttrNameExpected, QuoteRequiredInXMLDecl, RootElementTypeMustMatchDoctypedecl, + SDDeclInvalid, SpaceRequiredBeforeEncodingInXMLDecl, SpaceRequiredBeforeStandalone, SpaceRequiredInPI, + VersionInfoRequired, VersionNotSupported, XMLDeclUnterminated, CustomETag, PrematureEOF, DoctypeNotAllowed; private final String code; @@ -183,6 +182,9 @@ public static Range toLSPRange(XMLLocator location, XMLSyntaxErrorCode code, Obj case OpenQuoteExpected: { return XMLPositionUtility.selectAttributeNameAt(offset - 1, document); } + case DoctypeNotAllowed: + DOMDocumentType docType = document.getDoctype(); + return XMLPositionUtility.createRange(docType); case PITargetRequired: // Working break;
org.eclipse.lsp4xml/src/main/java/org/eclipse/lsp4xml/extensions/contentmodel/settings/XMLValidationSettings.java+52 −5 modified@@ -22,6 +22,10 @@ public class XMLValidationSettings { private Boolean enabled; + private boolean disallowDocTypeDecl; + + private boolean resolveExternalEntities; + /** * This severity preference to mark the root element of XML document which is * not bound to a XML Schema/DTD. @@ -31,9 +35,11 @@ public class XMLValidationSettings { private String noGrammar; public XMLValidationSettings() { - //set defaults - schema = true; - enabled = true; + // set defaults + setSchema(true); + setEnabled(true); + setDisallowDocTypeDecl(false); + setResolveExternalEntities(false); } /** @@ -72,6 +78,45 @@ public String getNoGrammar() { return noGrammar; } + /** + * Returns true if a fatal error is thrown if the incoming document contains a + * DOCTYPE declaration and false otherwise. + * + * @return true if a fatal error is thrown if the incoming document contains a + * DOCTYPE declaration and false otherwise. + */ + public boolean isDisallowDocTypeDecl() { + return disallowDocTypeDecl; + } + + /** + * Set true if a fatal error is thrown if the incoming document contains a + * DOCTYPE declaration and false otherwise. + * + * @param disallowDocTypeDecl disallow DOCTYPE declaration. + */ + public void setDisallowDocTypeDecl(boolean disallowDocTypeDecl) { + this.disallowDocTypeDecl = disallowDocTypeDecl; + } + + /** + * Returns true if external entities must be resolved and false otherwise. + * + * @return true if external entities must be resolved and false otherwise. + */ + public boolean isResolveExternalEntities() { + return resolveExternalEntities; + } + + /** + * Set true if external entities must be resolved and false otherwise. + * + * @param resolveExternalEntities resolve extrenal entities + */ + public void setResolveExternalEntities(boolean resolveExternalEntities) { + this.resolveExternalEntities = resolveExternalEntities; + } + /** * Returns the <code>noGrammar</code> severity according the given settings and * {@link DiagnosticSeverity#Hint} otherwise. @@ -101,11 +146,13 @@ public static DiagnosticSeverity getNoGrammarSeverity(ContentModelSettings setti } public XMLValidationSettings merge(XMLValidationSettings settings) { - if(settings != null) { + if (settings != null) { this.schema = settings.schema; this.enabled = settings.enabled; + this.disallowDocTypeDecl = settings.disallowDocTypeDecl; + this.resolveExternalEntities = settings.resolveExternalEntities; } return this; } - + } \ No newline at end of file
org.eclipse.lsp4xml/src/test/java/org/eclipse/lsp4xml/extensions/contentmodel/DTDDoctypeDiagnosticsTest.java+25 −0 modified@@ -12,8 +12,12 @@ import static org.eclipse.lsp4xml.XMLAssert.d; +import org.eclipse.lsp4j.Diagnostic; import org.eclipse.lsp4xml.XMLAssert; import org.eclipse.lsp4xml.extensions.contentmodel.participants.DTDErrorCode; +import org.eclipse.lsp4xml.extensions.contentmodel.participants.XMLSyntaxErrorCode; +import org.eclipse.lsp4xml.extensions.contentmodel.settings.ContentModelSettings; +import org.eclipse.lsp4xml.extensions.contentmodel.settings.XMLValidationSettings; import org.junit.Test; /** @@ -90,4 +94,25 @@ public void disableDTDValidationWhenNoElementDecl() throws Exception { // declaration XMLAssert.testDiagnosticsFor(xml); } + + @Test + public void doctypeNotAllowed() throws Exception { + String xml = "<?xml version=\"1.0\"?>\r\n" + // + "<!DOCTYPE student [\r\n" + // <-- error DOCTYPE is disallow + " <!ELEMENT \r\n" + // + "]>\r\n" + // + "<student />"; + testDiagnosticsDisallowDocTypeDecl(xml, d(1, 0, 3, 2, XMLSyntaxErrorCode.DoctypeNotAllowed)); + } + + private static void testDiagnosticsDisallowDocTypeDecl(String xml, Diagnostic diagnostic) { + ContentModelSettings settings = new ContentModelSettings(); + settings.setUseCache(false); + XMLValidationSettings validationSettings = new XMLValidationSettings(); + validationSettings.setDisallowDocTypeDecl(true); + settings.setValidation(validationSettings); + + XMLAssert.testDiagnosticsFor(xml, null, null, null, true, settings, diagnostic); + } + }
Vulnerability mechanics
Synthesis attempt was rejected by the grounding validator. Re-run pending.
References
4- github.com/angelozerr/lsp4xml/blob/master/CHANGELOG.mdmitrex_refsource_CONFIRM
- github.com/angelozerr/lsp4xml/pull/566mitrex_refsource_MISC
- marketplace.visualstudio.com/itemsmitrex_refsource_MISC
- www.shielder.it/blog/dont-open-that-xml-xxe-to-rce-in-xml-plugins-for-vs-code-eclipse-theia/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.