CWE-827

Improper Control of Document Type Definition

AI Translation Available

The product does not restrict a reference to a Document Type Definition (DTD) to the intended control sphere. This might allow attackers to reference arbitrary DTDs, possibly causing the product to expose files, consume excessive system resources, or execute arbitrary http requests on behalf of the attacker.

Status

incomplete

Abstraction

variant

Affected Platforms

XML

Extended Description

AI Translation

As DTDs are processed, they might try to read or include files on the machine performing the parsing. If an attacker is able to control the DTD, then the attacker might be able to specify sensitive resources or requests or provide malicious content.

For example, the SOAP specification prohibits SOAP messages from containing DTDs.

Technical Details

AI Translation

Common Consequences

confidentiality availability integrity access control

Impacts

read files or directories dos: resource consumption (cpu) dos: resource consumption (memory) execute unauthorized code or commands gain privileges or assume identity

Potential Mitigations

AI Generated Translation

Common Consequences

riservatezza disponibilità integrità controllo degli accessi

Impacts

leggere file o directory dos: consumo di risorse (cpu) dos: consumo di risorse (memoria) eseguire codice o comandi non autorizzati ottenere privilegi o assumere identità

CWE-827

Common Consequences

Impacts

Potential Mitigations

Common Consequences

Impacts

Potential Mitigations

Iscriviti alla newsletter