Get Started
- CodeAnt AI
- Control Center
- Pull Request Review
- IDE
- Compliance
- Anti-Patterns
- Code Governance
- Infrastructure Security Database
- Application Security Database
- Apex
- Bash
- C
- Clojure
- Cpp
- Csharp
- Dockerfile
- Elixir
- Fingerprints
- Generic
- Go
- Html
- Java
- Android
- Aws-lambda
- Castor
- Java-jwt
- Jax-rs
- Jboss
- Jdo
- Jedis
- Jjwt
- Jsch
- Kryo
- Lang
- Audit
- Correctness
- Security
- Security
- Audit
- Audit
- Crypto
- Net
- Properties
- Sql
- System
- Xxe
- Documentbuilderfactory-xxe-parameter-entity
- Documentbuilderfactory-xxe
- Saxbuilder-xxe-parameter-entities
- Saxbuilder-xxe
- Saxparserfactory-xxe-parameter-entity
- Saxparserfactory-xxe
- Saxreader-xxe-parameter-entities
- Saxreader-xxe
- Saxtransformerfactory-xxe-stylesheet
- Saxtransformerfactory-xxe
- Schemafactory-xxe-schema
- Schemafactory-xxe
- Validator-xxe
- Xmlreader-xxe-parameter-entities
- Xmlreader-xxe
- Micronaut
- Mongo
- Mongodb
- Mysql
- Okhttp
- Rmi
- Servlets
- Spring
- Thymeleaf
- Xstream
- Javascript
- Json
- Kotlin
- Ocaml
- Php
- Problem-based-packs
- Python
- Ruby
- Rust
- Scala
- Solidity
- Swift
- Terraform
- Typescript
- Yaml
Saxbuilder xxe
The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The XML parser PARSERisnotsecurelyconfigured.ThecurrentconfigurationallowsforXXEattacks.ItisourrecommendationtosecurethisparseragainstXXEattacksbyconfiguringPARSER with $PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)
. Alternatively, the following configurations also provide protection against XXE attacks. $PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "")
$PARSER.setFeature("http://xml.org/sax/features/external-general-entities", false)
$PARSER.setExpandEntities(false)
It is also possible to use one of the constructor parameters that will result in a more secure parser by default: new SAXBuilder(XMLReaders.DTDVALIDATING)
or new SAXBuilder(XMLReaders.XSDVALIDATING)
. For more information, see: Java XXE prevention
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-611: Improper Restriction of XML External Entity Reference
- CWE-776: Improper Restriction of Recursive Entity References in DTDs (‘XML Entity Expansion’)
OWASP:
- A04:2017 - XML External Entities (XXE)
- A05:2021 - Security Misconfiguration