Description
View on MITREMany XML parsers and validators can be configured to disable external entity expansion.
No detection method information available for this CWE.
No examples or observed CVEs available for this CWE.
CWE-611: CWE-611: Improper Restriction of XML External Entity Reference is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Description
If exploited, CWE-611 (CWE-611: Improper Restriction of XML External Entity Reference) it can compromise Read Application Data, Read Files or Directories, Bypass Protection Mechanism, DoS: Resource Consumption (CPU) and DoS: Resource Consumption (Memory), leading to outcomes such as Scope: Confidentiality If the attacker is able to include a crafted DTD and a default entity resolver is enabled, the attacker may be able to access arbitrary files on the system. By submitting an XML file that defines an external entity with a file:// URI, an attacker can cause the processing application to read the contents of a local file. For example, a URI such as ", file:///c:/winnt/win.ini" and designates (in Windows) the file C:\Winnt\win.ini.
Recommended mitigations for CWE-611 include: Many XML parsers and validators can be configured to disable external entity expansion.
CWE-611 commonly affects Languages. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
A CWE (Common Weakness Enumeration) like CWE-611 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.