Miggo Logo
Miggo Vulnerability Database
CVE-2014-125087

CVE-2014-125087: java-xmlbuilder vulnerable to XML External Entity Reference

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2014-125087
GHSA ID
GHSA-3vrc-rrpw-r5pw
EPSS Score
0.22915%
CWE
CWE-611
Published
2/19/2023
Updated
3/1/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.jamesmurty.utils:java-xmlbuildermaven< 1.21.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from XML parser configurations that allowed external entity processing by default. The commit e6fddca explicitly adds enableExternalEntities parameters to create/parse methods and disables them by default. The pre-patch versions of these methods in XMLBuilder and XMLBuilder2 classes lacked this protection:

  1. createDocumentImpl and parseDocumentImpl in BaseXMLBuilder.java were called without entity protection before the patch
  2. Public-facing create()/parse() methods in XMLBuilder/XMLBuilder2 propagated this insecure configuration
  3. The test case added in BaseXMLBuilderTests.java demonstrates XXE vulnerability in pre-patch behavior
  4. CWE-611 directly maps to insecure XML parsing configurations that allow external entity references

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility w*s *oun* in j*v*-xml*uil**r up to *.*. It **s ***n r*t** *s pro*l*m*ti*. *****t** *y t*is issu* is som* unknown *un*tion*lity. T** m*nipul*tion l***s to xml *xt*rn*l *ntity r***r*n**. Up*r**in* to v*rsion *.* is **l* to ***r*ss t*is

Reasoning

T** vuln*r**ility st*ms *rom XML p*rs*r *on*i*ur*tions t**t *llow** *xt*rn*l *ntity pro**ssin* *y ****ult. T** *ommit ******* *xpli*itly ***s *n**l**xt*rn*l*ntiti*s p*r*m*t*rs to *r**t*/p*rs* m*t*o*s *n* *is**l*s t**m *y ****ult. T** pr*-p*t** v*rsio