CVE-2019-5312: XML External Entity Reference in weixin-java-tools
9.8
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.64226%
CWE
Published
5/14/2022
Updated
1/8/2024
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
com.github.binarywang:weixin-java-common | maven | < 3.3.2.B | 3.3.2.B |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from XML parsing in getXmlDoc()
where DocumentBuilderFactory
was configured with setExpandEntityReferences(false)
but lacked setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)
. This allowed DOCTYPE declarations and external entity references. The patched commit 8ec61d1 explicitly adds this missing feature in getXmlDoc()
, confirming this was the vulnerable function. The test case in BaseWxPayResultTest.java
also demonstrates XXE exploitation attempts against this method.