Dashboard
Dashboard

Xxe

documentbuilderfactory-external-general-entities-true

External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature “http://xml.org/sax/features/external-general-entities” to false.
Likelihood: LOW
Confidence: HIGH
CWE:
- CWE-611: Improper Restriction of XML External Entity Reference
OWASP:
- A04:2017 - XML External Entities (XXE)
- A05:2021 - Security Misconfiguration

documentbuilderfactory-disallow-doctype-decl-missing

DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature “http://apache.org/xml/features/disallow-doctype-decl” to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features “http://xml.org/sax/features/external-general-entities” and “http://xml.org/sax/features/external-parameter-entities” to false.
Likelihood: LOW
Confidence: HIGH
CWE:
- CWE-611: Improper Restriction of XML External Entity Reference
OWASP:
- A04:2017 - XML External Entities (XXE)
- A05:2021 - Security Misconfiguration

transformerfactory-dtds-not-disabled

DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes “accessExternalDTD” and “accessExternalStylesheet” to "".
Likelihood: LOW
Confidence: HIGH
CWE:
- CWE-611: Improper Restriction of XML External Entity Reference
OWASP:
- A04:2017 - XML External Entities (XXE)
- A05:2021 - Security Misconfiguration

documentbuilderfactory-disallow-doctype-decl-false

DOCTYPE declarations are enabled for $DBFACTORY. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature “http://apache.org/xml/features/disallow-doctype-decl” to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features “http://xml.org/sax/features/external-general-entities” and “http://xml.org/sax/features/external-parameter-entities” to false.
Likelihood: LOW
Confidence: HIGH
CWE:
- CWE-611: Improper Restriction of XML External Entity Reference
OWASP:
- A04:2017 - XML External Entities (XXE)
- A05:2021 - Security Misconfiguration

documentbuilderfactory-external-parameter-entities-true

External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature “http://xml.org/sax/features/external-parameter-entities” to false.
Likelihood: LOW
Confidence: HIGH
CWE:
- CWE-611: Improper Restriction of XML External Entity Reference
OWASP:
- A04:2017 - XML External Entities (XXE)
- A05:2021 - Security Misconfiguration

saxparserfactory-disallow-doctype-decl-missing

DOCTYPE declarations are enabled for this SAXParserFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature http://apache.org/xml/features/disallow-doctype-decl to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features http://xml.org/sax/features/external-general-entities and http://xml.org/sax/features/external-parameter-entities to false. NOTE - The previous links are not meant to be clicked. They are the literal config key values that are supposed to be used to disable these features. For more information, see https://semgrep.dev/docs/cheat-sheets/java-xxe/#3a-documentbuilderfactory.
Likelihood: LOW
Confidence: HIGH
CWE:
- CWE-611: Improper Restriction of XML External Entity Reference
OWASP:
- A04:2017 - XML External Entities (XXE)
- A05:2021 - Security Misconfiguration

Assistant

Responses are generated using AI and may contain mistakes.

Get Started

CodeAnt AI
Setup
Control Center
Pull Request Review
IDE
Compliance
Anti-Patterns
Code Governance
Infrastructure Security Database
Application Security Database

Xxe