CWE-776

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

AI Translation Available

The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

Status

draft

Abstraction

base

Likelihood

medium

Affected Platforms

Not Language-Specific XML

Extended Description

AI Translation

If the DTD contains a large number of nested or recursive entities, this can lead to explosive growth of data when parsed, causing a denial of service.

Technical Details

AI Translation

Common Consequences

availability

Impacts

dos: resource consumption (other)

Detection Methods

automated static analysis

Potential Mitigations

Phases:

operation implementation

Descriptions:

• Before parsing XML files with associated DTDs, scan for recursive entity declarations and do not continue parsing potentially explosive content.

• If possible, prohibit the use of DTDs or use an XML parser that limits the expansion of recursive DTD entities.

AI Generated Translation

Common Consequences

disponibilità

Impacts

dos: consumo di risorse (altro)

Detection Methods

analisi statica automatizzata

Potential Mitigations

Phases:

operazione implementazione

Descriptions:

• Prima di analizzare i file XML con DTD associati, eseguire una scansione delle dichiarazioni di entità ricorsive e non proseguire con l'analisi di contenuti potenzialmente esplosivi.

• Se possibile, vietare l'uso di DTD o utilizzare un parser XML che limiti l'espansione delle entità DTD ricorsive.

CWE-776

Common Consequences

Impacts

Detection Methods

Potential Mitigations

Common Consequences

Impacts

Detection Methods

Potential Mitigations

Iscriviti alla newsletter