External general entities allowed in XML parser
Description
Detected enabling of external general entities in an XML parser, which can result in XML External Entity (XXE) vulnerabilities such as file disclosure from the server, denial of service, and Server-Side Request Forgery (SSRF).
Examples
Insecure Code
java
$PARSER.setFeature("http://xml.org/sax/features/external-general-entities", true);Secure Code
java
parser.setFeature("http://xml.org/sax/features/external-general-entities", false);Remediation
Set the 'http://xml.org/sax/features/external-general-entities' feature to false: parser.setFeature("http://xml.org/sax/features/external-general-entities", false);
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0481 |
| Category | Injection |
| Severity | MEDIUM |
| CWE | CWE-611 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | XXE, XML External Entity |
| OWASP | A05:2021-Security Misconfiguration |