Vulnerabilities > Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

DATE CVE VULNERABILITY TITLE RISK
2019-10-17 CVE-2019-11253 XML Entity Expansion vulnerability in multiple products
Improper input validation in the Kubernetes API server in versions v1.0-1.12 and versions prior to v1.13.12, v1.14.8, v1.15.5, and v1.16.2 allows authorized users to send malicious YAML or JSON payloads, causing the API server to consume excessive CPU or memory, potentially crashing and becoming unavailable.
network
low complexity
kubernetes redhat CWE-776
7.5
2019-09-10 CVE-2019-12401 XML Entity Expansion vulnerability in Apache Solr
Solr versions 1.3.0 to 1.4.1, 3.1.0 to 3.6.2 and 4.0.0 to 4.10.4 are vulnerable to an XML resource consumption attack (a.k.a.
network
low complexity
apache CWE-776
7.5
2019-09-04 CVE-2019-15903 XML Entity Expansion vulnerability in multiple products
In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.
network
low complexity
libexpat-project python CWE-776
7.5
2019-08-19 CVE-2019-15160 XML Entity Expansion vulnerability in Kbrw Sweet XML
The SweetXml (aka sweet_xml) package through 0.6.6 for Erlang and Elixir allows attackers to cause a denial of service (resource consumption) via an XML entity expansion attack with an inline DTD.
network
low complexity
kbrw CWE-776
7.5
2019-06-12 CVE-2019-5442 XML Entity Expansion vulnerability in Pippo 1.12.0
XML Entity Expansion (Billion Laughs Attack) on Pippo 1.12.0 results in Denial of Service.Entities are created recursively and large amounts of heap memory is taken.
network
low complexity
pippo CWE-776
7.5
2019-04-22 CVE-2019-5427 XML Entity Expansion vulnerability in multiple products
c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.
network
low complexity
mchange fedoraproject oracle CWE-776
7.5
2017-03-24 CVE-2017-5644 XML Entity Expansion vulnerability in Apache POI
Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack.
local
low complexity
apache CWE-776
5.5
2011-10-06 CVE-2011-3288 XML Entity Expansion vulnerability in Cisco Unified Presence
Cisco Unified Presence before 8.5(4) does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption, and process crash) via a crafted XML document containing a large number of nested entity references, aka Bug IDs CSCtq89842 and CSCtq88547, a similar issue to CVE-2003-1564.
network
low complexity
cisco CWE-776
7.5
2011-06-21 CVE-2011-1755 XML Entity Expansion vulnerability in multiple products
jabberd2 before 2.2.14 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
network
low complexity
jabberd2 fedoraproject apple CWE-776
7.5
2009-06-08 CVE-2009-1955 XML Entity Expansion vulnerability in multiple products
The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn modules in the Apache HTTP Server, allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, as demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564.
7.5