Improper Restriction of XML External Entity Reference
| Property | |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-611: Improper Restriction of XML External Entity Reference |
| OWASP | A04:2017 - XML External Entities (XXE) |
| Confidence Level | High |
| Impact Level | High |
| Likelihood Level | Low |
Description#
The code allows XML documents to include DOCTYPE declarations without disabling external entity processing. This means XML parsers can load external resources defined in the XML, which is insecure.
Impact#
If exploited, an attacker could use XML External Entity (XXE) attacks to read sensitive files from the server, perform denial-of-service (DoS), or make network requests to internal resources, potentially exposing confidential data and compromising system integrity.