Improper Restriction of XML External Entity Reference

Property
Languagescala
Severitymedium
CWECWE-611: Improper Restriction of XML External Entity Reference
OWASPA04:2017 - XML External Entities (XXE)
Confidence LevelHigh
Impact LevelMedium
Likelihood LevelLow

Description

When creating an XMLInputFactory instance, entity processing is not disabled, which means the parser may process external entities. This can allow attackers to inject malicious XML that accesses external resources or sensitive data.

Impact

If exploited, attackers could read confidential files, perform denial-of-service attacks, or make the server access internal or external systems (SSRF). This could lead to data leaks, service disruption, or unauthorized network access.

Improper Restriction of XML External Entity Reference

Property
Languagescala
Severityhigh
CWECWE-611: Improper Restriction of XML External Entity Reference
OWASPA04:2017 - XML External Entities (XXE)
Confidence LevelHigh
Impact LevelMedium
Likelihood LevelMedium

Description

The XML parser is being created without disabling features that allow processing of external entities. This leaves the application vulnerable to attackers sending malicious XML data that can be interpreted in unsafe ways.

Impact

If exploited, an attacker could read sensitive files, perform server-side request forgery (SSRF), or cause denial of service by submitting specially crafted XML. This can lead to data breaches, unauthorized network access, or application downtime.

Improper Restriction of XML External Entity Reference

Property
Languagejava
Severitymedium
CWECWE-611: Improper Restriction of XML External Entity Reference
OWASPA04:2017 - XML External Entities (XXE)
Confidence LevelLow
Impact LevelHigh
Likelihood LevelLow

Description

The XMLInputFactory is configured to allow external entities, which makes it vulnerable to XML External Entity (XXE) attacks. This can happen if the ‘isSupportingExternalEntities’ or ‘SUPPORT_DTD’ properties are set to true.

Impact

If exploited, attackers could read sensitive files from the server, perform server-side requests to internal systems, or cause denial of service. This puts confidential data, system integrity, and availability at risk.

Improper Restriction of XML External Entity Reference

Property
Languagejava
Severitymedium
CWECWE-611: Improper Restriction of XML External Entity Reference
OWASPA04:2017 - XML External Entities (XXE)
Confidence LevelMedium
Impact LevelHigh
Likelihood LevelLow

Description

The XMLInputFactory is created without disabling support for external entities. This leaves the code vulnerable to XML External Entity (XXE) attacks, as external entities can be processed by default.

Impact

If exploited, an attacker could read sensitive files, access internal network resources, or cause denial of service by submitting malicious XML input. This can lead to data breaches, exposure of confidential information, or disruption of application functionality.

Improper Restriction of XML External Entity Reference

Property
Languagejava
Severitymedium
CWECWE-611: Improper Restriction of XML External Entity Reference
OWASPA04:2017 - XML External Entities (XXE)
Confidence LevelLow
Impact LevelHigh
Likelihood LevelLow

Description

Using XMLDecoder to parse data from untrusted sources is unsafe because it can execute arbitrary code during deserialization. This approach exposes your application to serious security risks when handling user-provided XML input.

Impact

If exploited, an attacker could execute malicious code on your server, potentially leading to full system compromise, data theft, or further attacks on your infrastructure. This can result in data breaches, service disruption, and significant harm to your organization.

Improper Restriction of XML External Entity Reference

Property
Languagejava
Severityhigh
CWECWE-611: Improper Restriction of XML External Entity Reference
OWASPA04:2017 - XML External Entities (XXE)
Confidence LevelHigh
Impact LevelHigh
Likelihood LevelLow

Description

The SAXParserFactory is used without disabling XML DOCTYPE declarations or external entities, which leaves the parser vulnerable to XML External Entity (XXE) attacks. This means untrusted XML input could be processed insecurely.

Impact

If exploited, an attacker could read sensitive files, execute remote network requests from the server, or cause denial of service. This can lead to significant data breaches or compromise the application’s infrastructure.

Improper Restriction of XML External Entity Reference

Property
Languagejava
Severityhigh
CWECWE-611: Improper Restriction of XML External Entity Reference
OWASPA04:2017 - XML External Entities (XXE)
Confidence LevelHigh
Impact LevelHigh
Likelihood LevelLow

Description

The code creates a DocumentBuilderFactory without disabling XML DOCTYPE declarations. This leaves the parser vulnerable to XML External Entity (XXE) attacks, as it allows external entities to be defined and processed.

Impact

If exploited, an attacker could read sensitive files from the server, perform network requests, or cause denial of service by submitting malicious XML. This can lead to data breaches, exposure of secrets, or disruption of your application’s availability.

Improper Restriction of XML External Entity Reference

Property
Languagejava
Severityhigh
CWECWE-611: Improper Restriction of XML External Entity Reference
OWASPA04:2017 - XML External Entities (XXE)
Confidence LevelHigh
Impact LevelHigh
Likelihood LevelLow

Description

The code enables external general entities when processing XML with DocumentBuilderFactory, which allows XML files to reference external resources. This setting can let attackers include or access sensitive files via crafted XML input.

Impact

If exploited, an attacker could read confidential files from the server, perform internal network requests, or cause denial of service. This can lead to data breaches, unauthorized access to internal systems, or system instability.

Improper Restriction of XML External Entity Reference

Property
Languagejava
Severityhigh
CWECWE-611: Improper Restriction of XML External Entity Reference
OWASPA04:2017 - XML External Entities (XXE)
Confidence LevelHigh
Impact LevelHigh
Likelihood LevelLow

Description

The code creates a TransformerFactory for XML processing without disabling external DTDs and stylesheets. This leaves the application vulnerable to XML External Entity (XXE) attacks because it allows XML input to reference external resources.

Impact

If exploited, an attacker could read sensitive files from the server, perform server-side request forgery (SSRF), or cause denial of service. This can lead to data breaches, exposure of internal systems, and significant security risks for the application and organization.

Improper Restriction of XML External Entity Reference

Property
Languagejava
Severityhigh
CWECWE-611: Improper Restriction of XML External Entity Reference
OWASPA04:2017 - XML External Entities (XXE)
Confidence LevelHigh
Impact LevelHigh
Likelihood LevelLow

Description

The code enables external parameter entities in XML parsing, which makes the application vulnerable to XML External Entity (XXE) attacks. This happens when the parser is allowed to access external resources referenced in XML documents.

Impact

If exploited, attackers could read sensitive files from the server, perform server-side request forgery (SSRF), or cause denial of service. This can lead to data breaches or allow attackers to interact with internal systems and resources.