VYPR

CWE-611

Improper Restriction of XML External Entity Reference

BaseDraft

Description

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-221

CVEs mapped to this weakness (684)

page 31 of 35
  • CVE-2020-2247Sep 1, 2020
    risk 0.00cvss epss 0.01

    Jenkins Klocwork Analysis Plugin 2020.2.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2020-2245Sep 1, 2020
    risk 0.00cvss epss 0.01

    Jenkins Valgrind Plugin 0.28 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2020-25020Aug 29, 2020
    risk 0.00cvss epss 0.03

    MPXJ through 8.1.3 allows XXE attacks. This affects the GanttProjectReader and PhoenixReader components.

  • CVE-2020-17376Aug 26, 2020
    risk 0.00cvss epss 0.02

    An issue was discovered in Guest.migrate in virt/libvirt/guest.py in OpenStack Nova before 19.3.1, 20.x before 20.3.1, and 21.0.0. By performing a soft reboot of an instance that has previously undergone live migration, a user may gain access to destination host devices that…

  • CVE-2020-13692Jun 4, 2020
    risk 0.00cvss epss 0.04

    PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE.

  • CVE-2020-12642May 4, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in service-api before 4.3.12 and 5.x before 5.1.1 for Report Portal. It allows XXE, with resultant secrets disclosure and SSRF, via JUnit XML launch import.

  • CVE-2020-10683May 1, 2020
    risk 0.00cvss epss 0.07

    dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.

  • CVE-2020-2178Apr 16, 2020
    risk 0.00cvss epss 0.01

    Jenkins Parasoft Findings Plugin 10.4.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2020-2172Apr 7, 2020
    risk 0.00cvss epss 0.01

    Jenkins Code Coverage API Plugin 1.1.4 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2020-10991Mar 26, 2020
    risk 0.00cvss epss 0.01

    Mulesoft APIkit through 1.3.0 allows XXE because of validation/RestXmlSchemaValidator.java

  • CVE-2020-2171Mar 25, 2020
    risk 0.00cvss epss 0.01

    Jenkins RapidDeploy Plugin 4.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2019-20627Mar 23, 2020
    risk 0.00cvss epss 0.02

    AutoUpdater.cs in AutoUpdater.NET before 1.5.8 allows XXE.

  • CVE-2020-10799Mar 20, 2020
    risk 0.00cvss epss 0.01

    The svglib package through 0.9.3 for Python allows XXE attacks via an svg2rlg call.

  • CVE-2020-2144Mar 9, 2020
    risk 0.00cvss epss 0.01

    Jenkins Rundeck Plugin 3.6.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2020-2138Mar 9, 2020
    risk 0.00cvss epss 0.01

    Jenkins Cobertura Plugin 1.15 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2020-2120Feb 12, 2020
    risk 0.00cvss epss 0.01

    Jenkins FitNesse Plugin 1.30 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2020-2115Feb 12, 2020
    risk 0.00cvss epss 0.01

    Jenkins NUnit Plugin 0.25 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2019-10782Jan 30, 2020
    risk 0.00cvss epss 0.02

    All versions of com.puppycrawl.tools:checkstyle before 8.29 are vulnerable to XML External Entity (XXE) Injection due to an incomplete fix for CVE-2019-9658.

  • CVE-2020-2108Jan 29, 2020
    risk 0.00cvss epss 0.01

    Jenkins WebSphere Deployer Plugin 1.6.1 and earlier does not configure the XML parser to prevent XXE attacks which can be exploited by a user with Job/Configure permissions.

  • CVE-2015-1809Jan 15, 2020
    risk 0.00cvss epss 0.01

    XML external entity (XXE) vulnerability in CloudBees Jenkins before 1.600 and LTS before 1.596.1 allows remote attackers to read arbitrary XML files via an XPath query.