SYM_JAVA_0004 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Restriction of XML External Entity Reference
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-611: Improper Restriction of XML External Entity Reference |
| OWASP | A04:2017 - XML External Entities (XXE) |
| Confidence Level | High |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
The code creates an XML DocumentBuilder without disabling entity processing features. This leaves the application vulnerable to attackers crafting malicious XML that the parser will process insecurely.
Impact
If exploited, attackers could read sensitive files, perform denial of service attacks, or make server-side network requests (SSRF) through malicious XML. This can lead to data leaks, system downtime, or unauthorized access to internal resources.