CWE-611
Improper Restriction of XML External Entity Reference
Description
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-221
CVEs mapped to this weakness (684)
page 31 of 35| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-2247 | 0.00 | — | 0.01 | Sep 1, 2020 | Jenkins Klocwork Analysis Plugin 2020.2.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||
| CVE-2020-2245 | 0.00 | — | 0.01 | Sep 1, 2020 | Jenkins Valgrind Plugin 0.28 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||
| CVE-2020-25020 | — | 0.00 | — | 0.03 | Aug 29, 2020 | MPXJ through 8.1.3 allows XXE attacks. This affects the GanttProjectReader and PhoenixReader components. | ||
| CVE-2020-17376 | — | 0.00 | — | 0.02 | Aug 26, 2020 | An issue was discovered in Guest.migrate in virt/libvirt/guest.py in OpenStack Nova before 19.3.1, 20.x before 20.3.1, and 21.0.0. By performing a soft reboot of an instance that has previously undergone live migration, a user may gain access to destination host devices that… | ||
| CVE-2020-13692 | — | 0.00 | — | 0.04 | Jun 4, 2020 | PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE. | ||
| CVE-2020-12642 | — | 0.00 | — | 0.01 | May 4, 2020 | An issue was discovered in service-api before 4.3.12 and 5.x before 5.1.1 for Report Portal. It allows XXE, with resultant secrets disclosure and SSRF, via JUnit XML launch import. | ||
| CVE-2020-10683 | — | 0.00 | — | 0.07 | May 1, 2020 | dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j. | ||
| CVE-2020-2178 | 0.00 | — | 0.01 | Apr 16, 2020 | Jenkins Parasoft Findings Plugin 10.4.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||
| CVE-2020-2172 | 0.00 | — | 0.01 | Apr 7, 2020 | Jenkins Code Coverage API Plugin 1.1.4 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||
| CVE-2020-10991 | — | 0.00 | — | 0.01 | Mar 26, 2020 | Mulesoft APIkit through 1.3.0 allows XXE because of validation/RestXmlSchemaValidator.java | ||
| CVE-2020-2171 | 0.00 | — | 0.01 | Mar 25, 2020 | Jenkins RapidDeploy Plugin 4.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||
| CVE-2019-20627 | — | 0.00 | — | 0.02 | Mar 23, 2020 | AutoUpdater.cs in AutoUpdater.NET before 1.5.8 allows XXE. | ||
| CVE-2020-10799 | — | 0.00 | — | 0.01 | Mar 20, 2020 | The svglib package through 0.9.3 for Python allows XXE attacks via an svg2rlg call. | ||
| CVE-2020-2144 | 0.00 | — | 0.01 | Mar 9, 2020 | Jenkins Rundeck Plugin 3.6.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||
| CVE-2020-2138 | 0.00 | — | 0.01 | Mar 9, 2020 | Jenkins Cobertura Plugin 1.15 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. | |||
| CVE-2020-2120 | 0.00 | — | 0.01 | Feb 12, 2020 | Jenkins FitNesse Plugin 1.30 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks. | |||
| CVE-2020-2115 | 0.00 | — | 0.01 | Feb 12, 2020 | Jenkins NUnit Plugin 0.25 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks. | |||
| CVE-2019-10782 | 0.00 | — | 0.02 | Jan 30, 2020 | All versions of com.puppycrawl.tools:checkstyle before 8.29 are vulnerable to XML External Entity (XXE) Injection due to an incomplete fix for CVE-2019-9658. | |||
| CVE-2020-2108 | 0.00 | — | 0.01 | Jan 29, 2020 | Jenkins WebSphere Deployer Plugin 1.6.1 and earlier does not configure the XML parser to prevent XXE attacks which can be exploited by a user with Job/Configure permissions. | |||
| CVE-2015-1809 | 0.00 | — | 0.01 | Jan 15, 2020 | XML external entity (XXE) vulnerability in CloudBees Jenkins before 1.600 and LTS before 1.596.1 allows remote attackers to read arbitrary XML files via an XPath query. |
- CVE-2020-2247Sep 1, 2020risk 0.00cvss —epss 0.01
Jenkins Klocwork Analysis Plugin 2020.2.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
- CVE-2020-2245Sep 1, 2020risk 0.00cvss —epss 0.01
Jenkins Valgrind Plugin 0.28 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
- CVE-2020-25020Aug 29, 2020risk 0.00cvss —epss 0.03
MPXJ through 8.1.3 allows XXE attacks. This affects the GanttProjectReader and PhoenixReader components.
- CVE-2020-17376Aug 26, 2020risk 0.00cvss —epss 0.02
An issue was discovered in Guest.migrate in virt/libvirt/guest.py in OpenStack Nova before 19.3.1, 20.x before 20.3.1, and 21.0.0. By performing a soft reboot of an instance that has previously undergone live migration, a user may gain access to destination host devices that…
- CVE-2020-13692Jun 4, 2020risk 0.00cvss —epss 0.04
PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE.
- CVE-2020-12642May 4, 2020risk 0.00cvss —epss 0.01
An issue was discovered in service-api before 4.3.12 and 5.x before 5.1.1 for Report Portal. It allows XXE, with resultant secrets disclosure and SSRF, via JUnit XML launch import.
- CVE-2020-10683May 1, 2020risk 0.00cvss —epss 0.07
dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.
- CVE-2020-2178Apr 16, 2020risk 0.00cvss —epss 0.01
Jenkins Parasoft Findings Plugin 10.4.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
- CVE-2020-2172Apr 7, 2020risk 0.00cvss —epss 0.01
Jenkins Code Coverage API Plugin 1.1.4 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
- CVE-2020-10991Mar 26, 2020risk 0.00cvss —epss 0.01
Mulesoft APIkit through 1.3.0 allows XXE because of validation/RestXmlSchemaValidator.java
- CVE-2020-2171Mar 25, 2020risk 0.00cvss —epss 0.01
Jenkins RapidDeploy Plugin 4.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
- CVE-2019-20627Mar 23, 2020risk 0.00cvss —epss 0.02
AutoUpdater.cs in AutoUpdater.NET before 1.5.8 allows XXE.
- CVE-2020-10799Mar 20, 2020risk 0.00cvss —epss 0.01
The svglib package through 0.9.3 for Python allows XXE attacks via an svg2rlg call.
- CVE-2020-2144Mar 9, 2020risk 0.00cvss —epss 0.01
Jenkins Rundeck Plugin 3.6.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
- CVE-2020-2138Mar 9, 2020risk 0.00cvss —epss 0.01
Jenkins Cobertura Plugin 1.15 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
- CVE-2020-2120Feb 12, 2020risk 0.00cvss —epss 0.01
Jenkins FitNesse Plugin 1.30 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.
- CVE-2020-2115Feb 12, 2020risk 0.00cvss —epss 0.01
Jenkins NUnit Plugin 0.25 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.
- CVE-2019-10782Jan 30, 2020risk 0.00cvss —epss 0.02
All versions of com.puppycrawl.tools:checkstyle before 8.29 are vulnerable to XML External Entity (XXE) Injection due to an incomplete fix for CVE-2019-9658.
- CVE-2020-2108Jan 29, 2020risk 0.00cvss —epss 0.01
Jenkins WebSphere Deployer Plugin 1.6.1 and earlier does not configure the XML parser to prevent XXE attacks which can be exploited by a user with Job/Configure permissions.
- CVE-2015-1809Jan 15, 2020risk 0.00cvss —epss 0.01
XML external entity (XXE) vulnerability in CloudBees Jenkins before 1.600 and LTS before 1.596.1 allows remote attackers to read arbitrary XML files via an XPath query.