SYM_JAVA_0127 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Restriction of XML External Entity Reference
| Property | Value |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-611: Improper Restriction of XML External Entity Reference |
| OWASP | A04:2017 - XML External Entities (XXE) |
| Confidence Level | High |
| Impact Level | High |
| Likelihood Level | Low |
Description
The SAXParserFactory is used without disabling XML DOCTYPE declarations or external entities, which leaves the parser vulnerable to XML External Entity (XXE) attacks. This means untrusted XML input could be processed insecurely.
Impact
If exploited, an attacker could read sensitive files, execute remote network requests from the server, or cause denial of service. This can lead to significant data breaches or compromise the application's infrastructure.