CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

Description

The software uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities. If the DTD contains a large number of nested or recursive entities, this can lead to explosive growth of data when parsed, causing a denial of service. If parsed, recursive entity references allow the attacker to expand data exponentially, quickly consuming all system resources. The weakness is introduced during Implementation, Operation stages.

Latest vulnerabilities for CWE-776

Multiple vulnerabilities in IBM AIX and IBM VIOS 2024-04-12
Medium Yes

Multiple vulnerabilities in IBM Business Automation Workflow 2024-04-09
High Yes

Multiple vulnerabilities in HashiCorp Consul 2024-03-28
Medium Yes

Multiple vulnerabilities in Consul 2024-03-27
Medium Yes

Multiple vulnerabilities in IBM Tivoli Network Manager 2024-03-22
Medium Yes

Multiple vulnerabilities in IBM Engineering Requirements Management DOORS/DWA 2024-03-04
Critical Yes

Multiple vulnerabilities in IBM Cloud Pak for Business Automation 2024-02-27
High Yes

Multiple vulnerabilities in Atlas eDiscovery Process Management 2024-02-23
High Yes

Multiple vulnerabilities in IBM Intelligent Operations Center (IOC) 2024-02-13
High Yes

Multiple vulnerabilities in libexpat 2024-02-07
Medium Yes

References

Description of CWE-776 on Mitre website