Login Sign Up

CVE-2016-6798

9.8 CRITICAL
Denial of Service SSRF XXE

📋 TL;DR

This vulnerability in Apache Sling's XSS Protection API allows attackers to perform XML External Entity (XXE) attacks through insecure SAX parser configuration. It affects all Apache Sling applications using XSS.getValidXML() method for user input validation, potentially enabling data theft, SSRF attacks, and denial of service.

💻 Affected Systems

Products:
  • Apache Sling XSS Protection API
Versions: All versions before 1.0.12
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications using XSS.getValidXML() method for user input validation.

📦 What is this software?

Sling by Apache

View all CVEs affecting Sling →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise including sensitive file disclosure, internal network reconnaissance via SSRF, and application denial of service.

🟠

Likely Case

Unauthorized file system access leading to credential theft, configuration exposure, and potential privilege escalation.

🟢

If Mitigated

Limited impact with proper input validation and network segmentation, though XXE attacks could still cause application instability.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

XXE exploitation is well-documented with many public tools available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.12

Vendor Advisory: https://lists.apache.org/thread.html/b72c3a511592ec70729b3ec2d29302b6ce87bbeab62d4745617a6bd0%40%3Cdev.sling.apache.org%3E

Restart Required: Yes

Instructions:

1. Update Apache Sling XSS Protection API to version 1.0.12 or later. 2. Restart all affected applications. 3. Verify the update by checking the module version.

🔧 Temporary Workarounds

Disable external entity processing

all

Configure SAX parser to disallow external entity resolution

Set SAX parser features: FEATURE_SECURE_PROCESSING=true, disallow-doctype-decl=true

Input validation bypass

all

Implement additional input validation before XSS.getValidXML() calls

Add whitelist validation for XML input patterns

🧯 If You Can't Patch

  • Implement network segmentation to restrict outbound connections from affected systems
  • Deploy WAF with XXE protection rules and monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check if Apache Sling XSS Protection API version is below 1.0.12 and application uses XSS.getValidXML() method.

Check Version:

Check Maven dependencies or module manifest for org.apache.sling.xss version

Verify Fix Applied:

Confirm version is 1.0.12 or higher and test XXE payloads are properly rejected.

📡 Detection & Monitoring

Log Indicators:

  • XML parsing errors with external entity references
  • Unusual file access patterns from web application

Network Indicators:

  • Outbound HTTP requests to internal resources from web server
  • DNS requests for internal hostnames

SIEM Query:

source="web_server" AND (message="*DOCTYPE*" OR message="*ENTITY*" OR message="*SYSTEM*")

📊 Metadata

CVE ID: CVE-2016-6798
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-611
Published: July 19, 2017
Last Updated: April 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2016-6798, you might also want to check these:

CVE-2018-1000820 10.0

This CVE describes an XML External Entity (XXE) vulnerability in neo4j-contrib's APOC procedures lib...

Same vulnerability type (CWE-611)
CVE-2018-1000822 10.0

This XXE vulnerability in codelibs fess allows attackers to read sensitive files, cause denial of se...

Same vulnerability type (CWE-611)
CVE-2019-14678 10.0

SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that allows attackers to read loc...

Same vulnerability type (CWE-611)