CVE Vulnerabilities


Improper Restriction of XML External Entity Reference

Published: Jan 21, 2014 | Modified: Oct 27, 2021
CVSS 3.x
CVSS 2.x

expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.


The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Affected Software

Name Vendor Start Version End Version
Libexpat Libexpat_project * *
Apache2 Ubuntu devel *
Apache2 Ubuntu hardy *
Apache2 Ubuntu lucid *
Apache2 Ubuntu oneiric *
Apache2 Ubuntu precise *
Apache2 Ubuntu quantal *
Apache2 Ubuntu raring *
Apache2 Ubuntu upstream *
Apr-util Ubuntu devel *
Apr-util Ubuntu hardy *
Apr-util Ubuntu lucid *
Apr-util Ubuntu oneiric *
Apr-util Ubuntu precise *
Apr-util Ubuntu quantal *
Apr-util Ubuntu raring *
Apr-util Ubuntu upstream *
Audacity Ubuntu devel *
Audacity Ubuntu hardy *
Audacity Ubuntu lucid *
Audacity Ubuntu oneiric *
Audacity Ubuntu precise *
Audacity Ubuntu quantal *
Audacity Ubuntu raring *
Audacity Ubuntu upstream *
Ayttm Ubuntu devel *
Ayttm Ubuntu hardy *
Ayttm Ubuntu lucid *
Ayttm Ubuntu oneiric *
Ayttm Ubuntu precise *
Ayttm Ubuntu quantal *
Ayttm Ubuntu raring *
Ayttm Ubuntu upstream *
Cableswig Ubuntu devel *
Cableswig Ubuntu hardy *
Cableswig Ubuntu lucid *
Cableswig Ubuntu oneiric *
Cableswig Ubuntu precise *
Cableswig Ubuntu quantal *
Cableswig Ubuntu raring *
Cableswig Ubuntu upstream *
Cadaver Ubuntu devel *
Cadaver Ubuntu hardy *
Cadaver Ubuntu lucid *
Cadaver Ubuntu oneiric *
Cadaver Ubuntu precise *
Cadaver Ubuntu quantal *
Cadaver Ubuntu raring *
Cadaver Ubuntu upstream *
Celementtree Ubuntu hardy *
Celementtree Ubuntu upstream *
Cmake Ubuntu devel *
Cmake Ubuntu hardy *
Cmake Ubuntu lucid *
Cmake Ubuntu oneiric *
Cmake Ubuntu precise *
Cmake Ubuntu quantal *
Cmake Ubuntu raring *
Cmake Ubuntu upstream *
Coin3 Ubuntu devel *
Coin3 Ubuntu lucid *
Coin3 Ubuntu oneiric *
Coin3 Ubuntu precise *
Coin3 Ubuntu quantal *
Coin3 Ubuntu raring *
Coin3 Ubuntu upstream *
Expat Ubuntu devel *
Expat Ubuntu hardy *
Expat Ubuntu lucid *
Expat Ubuntu oneiric *
Expat Ubuntu precise *
Expat Ubuntu quantal *
Expat Ubuntu raring *
Expat Ubuntu upstream *
Gdcm Ubuntu devel *
Gdcm Ubuntu lucid *
Gdcm Ubuntu oneiric *
Gdcm Ubuntu precise *
Gdcm Ubuntu quantal *
Gdcm Ubuntu raring *
Gdcm Ubuntu upstream *
Ghostscript Ubuntu devel *
Ghostscript Ubuntu hardy *
Ghostscript Ubuntu lucid *
Ghostscript Ubuntu oneiric *
Ghostscript Ubuntu precise *
Ghostscript Ubuntu quantal *
Ghostscript Ubuntu raring *
Ghostscript Ubuntu upstream *
Grmonitor Ubuntu hardy *
Grmonitor Ubuntu upstream *
Insighttoolkit Ubuntu devel *
Insighttoolkit Ubuntu hardy *
Insighttoolkit Ubuntu lucid *
Insighttoolkit Ubuntu oneiric *
Insighttoolkit Ubuntu precise *
Insighttoolkit Ubuntu quantal *
Insighttoolkit Ubuntu raring *
Insighttoolkit Ubuntu upstream *
Kompozer Ubuntu hardy *
Kompozer Ubuntu lucid *
Kompozer Ubuntu oneiric *
Kompozer Ubuntu precise *
Kompozer Ubuntu upstream *
Libparagui1.1 Ubuntu hardy *
Libparagui1.1 Ubuntu lucid *
Libparagui1.1 Ubuntu oneiric *
Libparagui1.1 Ubuntu precise *
Libparagui1.1 Ubuntu upstream *
Matanza Ubuntu devel *
Matanza Ubuntu hardy *
Matanza Ubuntu lucid *
Matanza Ubuntu oneiric *
Matanza Ubuntu precise *
Matanza Ubuntu quantal *
Matanza Ubuntu raring *
Matanza Ubuntu upstream *
Paraview Ubuntu devel *
Paraview Ubuntu lucid *
Paraview Ubuntu oneiric *
Paraview Ubuntu precise *
Paraview Ubuntu quantal *
Paraview Ubuntu raring *
Paraview Ubuntu upstream *
Poco Ubuntu devel *
Poco Ubuntu hardy *
Poco Ubuntu lucid *
Poco Ubuntu oneiric *
Poco Ubuntu precise *
Poco Ubuntu quantal *
Poco Ubuntu raring *
Poco Ubuntu upstream *
Python-xml Ubuntu hardy *
Python-xml Ubuntu upstream *
Python2.4 Ubuntu hardy *
Python2.4 Ubuntu upstream *
Python2.5 Ubuntu hardy *
Python2.5 Ubuntu upstream *
Python2.6 Ubuntu lucid *
Python2.6 Ubuntu oneiric *
Python2.6 Ubuntu upstream *
Simgear Ubuntu devel *
Simgear Ubuntu hardy *
Simgear Ubuntu lucid *
Simgear Ubuntu oneiric *
Simgear Ubuntu precise *
Simgear Ubuntu quantal *
Simgear Ubuntu raring *
Simgear Ubuntu upstream *
Sitecopy Ubuntu devel *
Sitecopy Ubuntu hardy *
Sitecopy Ubuntu lucid *
Sitecopy Ubuntu oneiric *
Sitecopy Ubuntu precise *
Sitecopy Ubuntu quantal *
Sitecopy Ubuntu raring *
Sitecopy Ubuntu upstream *
Smart Ubuntu devel *
Smart Ubuntu hardy *
Smart Ubuntu lucid *
Smart Ubuntu oneiric *
Smart Ubuntu precise *
Smart Ubuntu quantal *
Smart Ubuntu raring *
Smart Ubuntu upstream *
Swish-e Ubuntu devel *
Swish-e Ubuntu hardy *
Swish-e Ubuntu lucid *
Swish-e Ubuntu oneiric *
Swish-e Ubuntu precise *
Swish-e Ubuntu quantal *
Swish-e Ubuntu raring *
Swish-e Ubuntu upstream *
Tdom Ubuntu devel *
Tdom Ubuntu lucid *
Tdom Ubuntu oneiric *
Tdom Ubuntu precise *
Tdom Ubuntu quantal *
Tdom Ubuntu raring *
Tdom Ubuntu upstream *
Texlive-bin Ubuntu devel *
Texlive-bin Ubuntu hardy *
Texlive-bin Ubuntu lucid *
Texlive-bin Ubuntu oneiric *
Texlive-bin Ubuntu precise *
Texlive-bin Ubuntu quantal *
Texlive-bin Ubuntu raring *
Texlive-bin Ubuntu upstream *
Tla Ubuntu devel *
Tla Ubuntu hardy *
Tla Ubuntu lucid *
Tla Ubuntu oneiric *
Tla Ubuntu precise *
Tla Ubuntu quantal *
Tla Ubuntu raring *
Tla Ubuntu upstream *
Vnc4 Ubuntu devel *
Vnc4 Ubuntu hardy *
Vnc4 Ubuntu lucid *
Vnc4 Ubuntu oneiric *
Vnc4 Ubuntu precise *
Vnc4 Ubuntu quantal *
Vnc4 Ubuntu raring *
Vnc4 Ubuntu upstream *
Vtk Ubuntu devel *
Vtk Ubuntu hardy *
Vtk Ubuntu lucid *
Vtk Ubuntu oneiric *
Vtk Ubuntu precise *
Vtk Ubuntu quantal *
Vtk Ubuntu raring *
Vtk Ubuntu upstream *
W3c-libwww Ubuntu hardy *
W3c-libwww Ubuntu upstream *
Wbxml2 Ubuntu devel *
Wbxml2 Ubuntu hardy *
Wbxml2 Ubuntu lucid *
Wbxml2 Ubuntu oneiric *
Wbxml2 Ubuntu precise *
Wbxml2 Ubuntu quantal *
Wbxml2 Ubuntu raring *
Wbxml2 Ubuntu upstream *
Wxwidgets2.6 Ubuntu hardy *
Wxwidgets2.6 Ubuntu lucid *
Wxwidgets2.6 Ubuntu oneiric *
Wxwidgets2.6 Ubuntu precise *
Wxwidgets2.6 Ubuntu upstream *
Wxwidgets2.8 Ubuntu devel *
Wxwidgets2.8 Ubuntu hardy *
Wxwidgets2.8 Ubuntu lucid *
Wxwidgets2.8 Ubuntu oneiric *
Wxwidgets2.8 Ubuntu precise *
Wxwidgets2.8 Ubuntu quantal *
Wxwidgets2.8 Ubuntu raring *
Wxwidgets2.8 Ubuntu upstream *
Wxwindows2.4 Ubuntu hardy *
Wxwindows2.4 Ubuntu upstream *
Xmlrpc-c Ubuntu devel *
Xmlrpc-c Ubuntu hardy *
Xmlrpc-c Ubuntu lucid *
Xmlrpc-c Ubuntu oneiric *
Xmlrpc-c Ubuntu precise *
Xmlrpc-c Ubuntu quantal *
Xmlrpc-c Ubuntu raring *
Xmlrpc-c Ubuntu upstream *
Xotcl Ubuntu devel *
Xotcl Ubuntu lucid *
Xotcl Ubuntu oneiric *
Xotcl Ubuntu precise *
Xotcl Ubuntu quantal *
Xotcl Ubuntu raring *
Xotcl Ubuntu upstream *
Xulrunner Ubuntu hardy *
Xulrunner Ubuntu upstream *

Extended Description

XML documents optionally contain a Document Type Definition (DTD), which, among other features, enables the definition of XML entities. It is possible to define an entity by providing a substitution string in the form of a URI. The XML parser can access the contents of this URI and embed these contents back into the XML document for further processing. By submitting an XML file that defines an external entity with a file:// URI, an attacker can cause the processing application to read the contents of a local file. For example, a URI such as “file:///c:/winnt/win.ini” designates (in Windows) the file C:\Winnt\win.ini, or file:///etc/passwd designates the password file in Unix-based systems. Using URIs with other schemes such as http://, the attacker can force the application to make outgoing requests to servers that the attacker cannot reach directly, which can be used to bypass firewall restrictions or hide the source of attacks such as port scanning. Once the content of the URI is read, it is fed back into the application that is processing the XML. This application may echo back the data (e.g. in an error message), thereby exposing the file contents.

Potential Mitigations