CWE-611
Improper Restriction of XML External Entity Reference
Description
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-221
CVEs mapped to this weakness (684)
page 27 of 35| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-43430 | 0.00 | — | 0.01 | Oct 19, 2022 | Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||
| CVE-2022-40705 | 0.00 | — | 0.01 | Sep 22, 2022 | An Improper Restriction of XML External Entity Reference vulnerability in RPCRouterServlet of Apache SOAP allows an attacker to read arbitrary files over HTTP. This issue affects Apache SOAP version 2.2 and later versions. It is unknown whether previous versions are also… | |||
| CVE-2022-41241 | 0.00 | — | 0.01 | Sep 21, 2022 | Jenkins RQM Plugin 2.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||
| CVE-2022-41226 | 0.00 | — | 0.01 | Sep 21, 2022 | Jenkins Compuware Common Configuration Plugin 1.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||
| CVE-2022-39135 | — | 0.00 | — | 0.02 | Sep 11, 2022 | Apache Calcite 1.22.0 introduced the SQL operators EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM and EXTRACT_VALUE do not restrict XML External Entity references in their configuration, making them vulnerable to a potential XML External Entity (XXE) attack. Therefore any client… | ||
| CVE-2022-37189 | — | 0.00 | — | 0.01 | Sep 7, 2022 | DDMAL MEI2Volpiano 0.8.2 is vulnerable to XML External Entity (XXE), leading to a Denial of Service. This occurs due to the usage of the unsafe 'xml.etree' library to parse untrusted XML input. | ||
| CVE-2022-31471 | — | 0.00 | — | 0.01 | Jul 26, 2022 | untangle is a python library to convert XML data to python objects. untangle versions 1.2.0 and earlier improperly restricts XML external entity references. By exploiting this vulnerability, a remote unauthenticated attacker may read the contents of local files. | ||
| CVE-2015-8031 | — | 0.00 | — | 0.01 | Jul 18, 2022 | Hudson (aka org.jvnet.hudson.main:hudson-core) before 3.3.2 allows XXE attacks. | ||
| CVE-2021-41042 | — | 0.00 | — | 0.01 | Jul 7, 2022 | In Eclipse Lyo versions 1.0.0 to 4.1.0, a TransformerFactory is initialized with the defaults that do not restrict DTD loading when working with RDF/XML. This allows an attacker to cause an external DTD to be retrieved. | ||
| CVE-2022-34793 | — | 0.00 | — | 0.01 | Jun 30, 2022 | Jenkins Recipe Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||
| CVE-2021-41411 | — | 0.00 | — | 0.01 | Jun 16, 2022 | drools <=7.59.x is affected by an XML External Entity (XXE) vulnerability in KieModuleMarshaller.java. The Validator class is not used correctly, resulting in the XXE injection vulnerability. | ||
| CVE-2022-30971 | 0.00 | — | 0.01 | May 17, 2022 | Jenkins Storable Configs Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||
| CVE-2021-23792 | — | 0.00 | — | 0.01 | May 6, 2022 | The package com.twelvemonkeys.imageio:imageio-metadata before 3.7.1 are vulnerable to XML External Entity (XXE) Injection due to an insecurely initialized XML parser for reading XMP Metadata. An attacker can exploit this vulnerability if they are able to supply a file (e.g. when… | ||
| CVE-2022-28890 | 0.00 | — | 0.02 | May 5, 2022 | A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved. This issue affects Apache Jena version 4.4.0 and prior versions. Apache Jena 4.2.x and 4.3.x do not allow external entities. | |||
| CVE-2022-29265 | 0.00 | — | 0.02 | Apr 30, 2022 | Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors… | |||
| CVE-2022-24898 | 0.00 | — | 0.01 | Apr 28, 2022 | org.xwiki.commons:xwiki-commons-xml is a common module used by other XWiki top level projects. Starting in version 2.7 and prior to versions 12.10.10, 13.4.4, and 13.8-rc-1, it is possible for a script to access any file accessing to the user running XWiki application server… | |||
| CVE-2022-0272 | 0.00 | — | 0.01 | Apr 21, 2022 | Improper Restriction of XML External Entity Reference in GitHub repository detekt/detekt prior to 1.20.0. | |||
| CVE-2021-43142 | — | 0.00 | — | 0.01 | Mar 30, 2022 | An XML External Entity (XXE) vulnerability exists in wuta jox 1.16 in the readObject method in JOXSAXBeanInput. | ||
| CVE-2022-28155 | — | 0.00 | — | 0.01 | Mar 29, 2022 | Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | ||
| CVE-2022-28154 | 0.00 | — | 0.01 | Mar 29, 2022 | Jenkins Coverage/Complexity Scatter Plot Plugin 1.1.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. |
- CVE-2022-43430Oct 19, 2022risk 0.00cvss —epss 0.01
Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
- CVE-2022-40705Sep 22, 2022risk 0.00cvss —epss 0.01
An Improper Restriction of XML External Entity Reference vulnerability in RPCRouterServlet of Apache SOAP allows an attacker to read arbitrary files over HTTP. This issue affects Apache SOAP version 2.2 and later versions. It is unknown whether previous versions are also…
- CVE-2022-41241Sep 21, 2022risk 0.00cvss —epss 0.01
Jenkins RQM Plugin 2.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
- CVE-2022-41226Sep 21, 2022risk 0.00cvss —epss 0.01
Jenkins Compuware Common Configuration Plugin 1.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
- CVE-2022-39135Sep 11, 2022risk 0.00cvss —epss 0.02
Apache Calcite 1.22.0 introduced the SQL operators EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM and EXTRACT_VALUE do not restrict XML External Entity references in their configuration, making them vulnerable to a potential XML External Entity (XXE) attack. Therefore any client…
- CVE-2022-37189Sep 7, 2022risk 0.00cvss —epss 0.01
DDMAL MEI2Volpiano 0.8.2 is vulnerable to XML External Entity (XXE), leading to a Denial of Service. This occurs due to the usage of the unsafe 'xml.etree' library to parse untrusted XML input.
- CVE-2022-31471Jul 26, 2022risk 0.00cvss —epss 0.01
untangle is a python library to convert XML data to python objects. untangle versions 1.2.0 and earlier improperly restricts XML external entity references. By exploiting this vulnerability, a remote unauthenticated attacker may read the contents of local files.
- CVE-2015-8031Jul 18, 2022risk 0.00cvss —epss 0.01
Hudson (aka org.jvnet.hudson.main:hudson-core) before 3.3.2 allows XXE attacks.
- CVE-2021-41042Jul 7, 2022risk 0.00cvss —epss 0.01
In Eclipse Lyo versions 1.0.0 to 4.1.0, a TransformerFactory is initialized with the defaults that do not restrict DTD loading when working with RDF/XML. This allows an attacker to cause an external DTD to be retrieved.
- CVE-2022-34793Jun 30, 2022risk 0.00cvss —epss 0.01
Jenkins Recipe Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
- CVE-2021-41411Jun 16, 2022risk 0.00cvss —epss 0.01
drools <=7.59.x is affected by an XML External Entity (XXE) vulnerability in KieModuleMarshaller.java. The Validator class is not used correctly, resulting in the XXE injection vulnerability.
- CVE-2022-30971May 17, 2022risk 0.00cvss —epss 0.01
Jenkins Storable Configs Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
- CVE-2021-23792May 6, 2022risk 0.00cvss —epss 0.01
The package com.twelvemonkeys.imageio:imageio-metadata before 3.7.1 are vulnerable to XML External Entity (XXE) Injection due to an insecurely initialized XML parser for reading XMP Metadata. An attacker can exploit this vulnerability if they are able to supply a file (e.g. when…
- CVE-2022-28890May 5, 2022risk 0.00cvss —epss 0.02
A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved. This issue affects Apache Jena version 4.4.0 and prior versions. Apache Jena 4.2.x and 4.3.x do not allow external entities.
- CVE-2022-29265Apr 30, 2022risk 0.00cvss —epss 0.02
Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors…
- CVE-2022-24898Apr 28, 2022risk 0.00cvss —epss 0.01
org.xwiki.commons:xwiki-commons-xml is a common module used by other XWiki top level projects. Starting in version 2.7 and prior to versions 12.10.10, 13.4.4, and 13.8-rc-1, it is possible for a script to access any file accessing to the user running XWiki application server…
- CVE-2022-0272Apr 21, 2022risk 0.00cvss —epss 0.01
Improper Restriction of XML External Entity Reference in GitHub repository detekt/detekt prior to 1.20.0.
- CVE-2021-43142Mar 30, 2022risk 0.00cvss —epss 0.01
An XML External Entity (XXE) vulnerability exists in wuta jox 1.16 in the readObject method in JOXSAXBeanInput.
- CVE-2022-28155Mar 29, 2022risk 0.00cvss —epss 0.01
Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
- CVE-2022-28154Mar 29, 2022risk 0.00cvss —epss 0.01
Jenkins Coverage/Complexity Scatter Plot Plugin 1.1.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.