SYM_JAVA_0129 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Restriction of XML External Entity Reference
| Property | Value |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-611: Improper Restriction of XML External Entity Reference |
| OWASP | A04:2017 - XML External Entities (XXE) |
| Confidence Level | High |
| Impact Level | High |
| Likelihood Level | Low |
Description
The code enables external general entities when processing XML with DocumentBuilderFactory, which allows XML files to reference external resources. This setting can let attackers include or access sensitive files via crafted XML input.
Impact
If exploited, an attacker could read confidential files from the server, perform internal network requests, or cause denial of service. This can lead to data breaches, unauthorized access to internal systems, or system instability.