Improper Restriction of XML External Entity Reference
| Property | |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-611: Improper Restriction of XML External Entity Reference |
| OWASP | A04:2017 - XML External Entities (XXE) |
| Confidence Level | High |
| Impact Level | High |
| Likelihood Level | Low |
Description#
The code enables external general entities when processing XML with DocumentBuilderFactory, which allows XML files to reference external resources. This setting can let attackers include or access sensitive files via crafted XML input.
Impact#
If exploited, an attacker could read confidential files from the server, perform internal network requests, or cause denial of service. This can lead to data breaches, unauthorized access to internal systems, or system instability.