SYM_JAVA_0128 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Restriction of XML External Entity Reference
| Property | Value |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-611: Improper Restriction of XML External Entity Reference |
| OWASP | A04:2017 - XML External Entities (XXE) |
| Confidence Level | High |
| Impact Level | High |
| Likelihood Level | Low |
Description
The code creates a DocumentBuilderFactory without disabling XML DOCTYPE declarations. This leaves the parser vulnerable to XML External Entity (XXE) attacks, as it allows external entities to be defined and processed.
Impact
If exploited, an attacker could read sensitive files from the server, perform network requests, or cause denial of service by submitting malicious XML. This can lead to data breaches, exposure of secrets, or disruption of your application's availability.