9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2014-125087

GHSA ID

GHSA-3vrc-rrpw-r5pw

EPSS Score

0.22915%

CWE

CWE-611

Published

2/19/2023

Updated

3/1/2024

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2014-125087

CVE-2014-125087: java-xmlbuilder vulnerable to XML External Entity Reference

A vulnerability was found in java-xmlbuilder up to 1.1. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation leads to xml external entity reference. Upgrading to version 1.2 is able to address this issue. The name of the patch is e6fddca201790abab4f2c274341c0bb8835c3e73. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-221480.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2014-125087

CVE-2014-125087:

9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2014-125087

GHSA ID

GHSA-3vrc-rrpw-r5pw

EPSS Score

0.22915%

CWE

CWE-611

Published

2/19/2023

Updated

3/1/2024

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.jamesmurty.utils:java-xmlbuilder	maven	< 1.2	1.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from XML parser configurations that allowed external entity processing by default. The commit e6fddca explicitly adds enableExternalEntities parameters to create/parse methods and disables them by default. The pre-patch versions of these methods in XMLBuilder and XMLBuilder2 classes lacked this protection:

createDocumentImpl and parseDocumentImpl in BaseXMLBuilder.java were called without entity protection before the patch
Public-facing create()/parse() methods in XMLBuilder/XMLBuilder2 propagated this insecure configuration
The test case added in BaseXMLBuilderTests.java demonstrates XXE vulnerability in pre-patch behavior
CWE-611 directly maps to insecure XML parsing configurations that allow external entity references

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

9.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2014-125087: java-xmlbuilder vulnerable to XML External Entity Reference

CVE-2014-125087:

9.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

9.8

9.8

CVE-2014-125087: java-xmlbuilder vulnerable to XML External Entity Reference

Technical Details

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI