Improper Restriction of XML External Entity Reference
| Property | |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-611: Improper Restriction of XML External Entity Reference |
| OWASP | A04:2017 - XML External Entities (XXE) |
| Confidence Level | High |
| Impact Level | High |
| Likelihood Level | Low |
Description#
The code creates a DocumentBuilderFactory without disabling XML DOCTYPE declarations. This leaves the parser vulnerable to XML External Entity (XXE) attacks, as it allows external entities to be defined and processed.
Impact#
If exploited, an attacker could read sensitive files from the server, perform network requests, or cause denial of service by submitting malicious XML. This can lead to data breaches, exposure of secrets, or disruption of your application’s availability.