VYPR

CWE-611

Improper Restriction of XML External Entity Reference

BaseDraft

Description

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-221

CVEs mapped to this weakness (684)

page 27 of 35
  • CVE-2022-43430Oct 19, 2022
    risk 0.00cvss epss 0.01

    Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2022-40705Sep 22, 2022
    risk 0.00cvss epss 0.01

    An Improper Restriction of XML External Entity Reference vulnerability in RPCRouterServlet of Apache SOAP allows an attacker to read arbitrary files over HTTP. This issue affects Apache SOAP version 2.2 and later versions. It is unknown whether previous versions are also…

  • CVE-2022-41241Sep 21, 2022
    risk 0.00cvss epss 0.01

    Jenkins RQM Plugin 2.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2022-41226Sep 21, 2022
    risk 0.00cvss epss 0.01

    Jenkins Compuware Common Configuration Plugin 1.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2022-39135Sep 11, 2022
    risk 0.00cvss epss 0.02

    Apache Calcite 1.22.0 introduced the SQL operators EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM and EXTRACT_VALUE do not restrict XML External Entity references in their configuration, making them vulnerable to a potential XML External Entity (XXE) attack. Therefore any client…

  • CVE-2022-37189Sep 7, 2022
    risk 0.00cvss epss 0.01

    DDMAL MEI2Volpiano 0.8.2 is vulnerable to XML External Entity (XXE), leading to a Denial of Service. This occurs due to the usage of the unsafe 'xml.etree' library to parse untrusted XML input.

  • CVE-2022-31471Jul 26, 2022
    risk 0.00cvss epss 0.01

    untangle is a python library to convert XML data to python objects. untangle versions 1.2.0 and earlier improperly restricts XML external entity references. By exploiting this vulnerability, a remote unauthenticated attacker may read the contents of local files.

  • CVE-2015-8031Jul 18, 2022
    risk 0.00cvss epss 0.01

    Hudson (aka org.jvnet.hudson.main:hudson-core) before 3.3.2 allows XXE attacks.

  • CVE-2021-41042Jul 7, 2022
    risk 0.00cvss epss 0.01

    In Eclipse Lyo versions 1.0.0 to 4.1.0, a TransformerFactory is initialized with the defaults that do not restrict DTD loading when working with RDF/XML. This allows an attacker to cause an external DTD to be retrieved.

  • CVE-2022-34793Jun 30, 2022
    risk 0.00cvss epss 0.01

    Jenkins Recipe Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2021-41411Jun 16, 2022
    risk 0.00cvss epss 0.01

    drools <=7.59.x is affected by an XML External Entity (XXE) vulnerability in KieModuleMarshaller.java. The Validator class is not used correctly, resulting in the XXE injection vulnerability.

  • CVE-2022-30971May 17, 2022
    risk 0.00cvss epss 0.01

    Jenkins Storable Configs Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2021-23792May 6, 2022
    risk 0.00cvss epss 0.01

    The package com.twelvemonkeys.imageio:imageio-metadata before 3.7.1 are vulnerable to XML External Entity (XXE) Injection due to an insecurely initialized XML parser for reading XMP Metadata. An attacker can exploit this vulnerability if they are able to supply a file (e.g. when…

  • CVE-2022-28890May 5, 2022
    risk 0.00cvss epss 0.02

    A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved. This issue affects Apache Jena version 4.4.0 and prior versions. Apache Jena 4.2.x and 4.3.x do not allow external entities.

  • CVE-2022-29265Apr 30, 2022
    risk 0.00cvss epss 0.02

    Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors…

  • CVE-2022-24898Apr 28, 2022
    risk 0.00cvss epss 0.01

    org.xwiki.commons:xwiki-commons-xml is a common module used by other XWiki top level projects. Starting in version 2.7 and prior to versions 12.10.10, 13.4.4, and 13.8-rc-1, it is possible for a script to access any file accessing to the user running XWiki application server…

  • CVE-2022-0272Apr 21, 2022
    risk 0.00cvss epss 0.01

    Improper Restriction of XML External Entity Reference in GitHub repository detekt/detekt prior to 1.20.0.

  • CVE-2021-43142Mar 30, 2022
    risk 0.00cvss epss 0.01

    An XML External Entity (XXE) vulnerability exists in wuta jox 1.16 in the readObject method in JOXSAXBeanInput.

  • CVE-2022-28155Mar 29, 2022
    risk 0.00cvss epss 0.01

    Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2022-28154Mar 29, 2022
    risk 0.00cvss epss 0.01

    Jenkins Coverage/Complexity Scatter Plot Plugin 1.1.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.