CWE-611: Improper Restriction of XML External Entity Reference
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
常见后果
影响范围: Confidentiality
技术影响: Read Application Data Read Files or Directories
说明: If the attacker is able to include a crafted DTD and a default entity resolver is enabled, the attacker may be able to access arbitrary files on the system.
影响范围: Integrity
技术影响: Bypass Protection Mechanism
说明: The DTD may include arbitrary HTTP requests that the server may execute. This could lead to other attacks leveraging the server's trust relationship with other entities.
影响范围: Availability
技术影响: DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory)
说明: The product could consume excessive CPU cycles or memory using a URI that points to a large file, or a device that always returns data such as /dev/random. Alternately, the URI could reference a file that contains many nested or recursive entity references to further slow down parsing.
潜在缓解措施
阶段: Implementation System Configuration
描述: Many XML parsers and validators can be configured to disable external entity expansion.
检测方法
方法: Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
有效性: High
观察示例
参考: CVE-2022-42745
Recruiter software allows reading arbitrary files using XXE
参考: CVE-2005-1306
A browser control can allow remote attackers to determine the existence of files via Javascript containing XML script.
参考: CVE-2012-5656
XXE during SVG image conversion
参考: CVE-2012-2239
XXE in PHP application allows reading the application's configuration file.
参考: CVE-2012-3489
XXE in database server
参考: CVE-2012-4399
XXE in rapid web application development framework allows reading arbitrary files.
参考: CVE-2012-3363
XXE via XML-RPC request.
参考: CVE-2012-0037
XXE in office document product using RDF.
参考: CVE-2011-4107
XXE in web-based administration tool for database.
参考: CVE-2010-3322
XXE in product that performs large-scale data analysis.
参考: CVE-2009-1699
XXE in XSL stylesheet functionality in a common library used by some web browsers.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | REALIZATION: This weakness is caused during implementation of an architectural security tactic. |
适用平台
编程语言
技术
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| WASC | 43 | XML External Entities | - |
| Software Fault Patterns | SFP24 | Tainted input to command | - |