Improper Restriction of XML External Entity Reference
| Property | |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-611: Improper Restriction of XML External Entity Reference |
| OWASP | A04:2017 - XML External Entities (XXE) |
| Confidence Level | High |
| Impact Level | High |
| Likelihood Level | Low |
Description#
The SAXParserFactory is used without disabling XML DOCTYPE declarations or external entities, which leaves the parser vulnerable to XML External Entity (XXE) attacks. This means untrusted XML input could be processed insecurely.
Impact#
If exploited, an attacker could read sensitive files, execute remote network requests from the server, or cause denial of service. This can lead to significant data breaches or compromise the application’s infrastructure.