Improper Restriction of XML External Entity Reference
| Property | |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-611: Improper Restriction of XML External Entity Reference |
| OWASP | A04:2017 - XML External Entities (XXE) |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description#
The XMLInputFactory is configured to allow external entities, which makes it vulnerable to XML External Entity (XXE) attacks. This can happen if the ‘isSupportingExternalEntities’ or ‘SUPPORT_DTD’ properties are set to true.
Impact#
If exploited, attackers could read sensitive files from the server, perform server-side requests to internal systems, or cause denial of service. This puts confidential data, system integrity, and availability at risk.