Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWh3ajMtbTNwNi1oajM4
dom4j allows External Entities by default which might enable XXE attacks
dom4j before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.
Note: This advisory applies to dom4j:dom4j version 1.x legacy artifacts. To resolve this a change to the latest version of org.dom4j:dom4j is recommended.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWh3ajMtbTNwNi1oajM4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 4 years ago
Updated: about 2 years ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Percentage: 0.00853
EPSS Percentile: 0.82005
Identifiers: GHSA-hwj3-m3p6-hj38, CVE-2020-10683
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-10683
- https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658
- https://bugzilla.redhat.com/show_bug.cgi?id=1694235
- https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
- https://github.com/dom4j/dom4j/releases/tag/version-2.1.3
- https://security.netapp.com/advisory/ntap-20200518-0002/
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html
- https://github.com/dom4j/dom4j/commit/1707bf3d898a8ada3b213acb0e3b38f16eaae73d
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://github.com/dom4j/dom4j/issues/87
- https://github.com/dom4j/dom4j/commits/version-2.0.3
- https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8@%3Cdev.velocity.apache.org%3E
- https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32@%3Cdev.velocity.apache.org%3E
- https://usn.ubuntu.com/4575-1/
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51@%3Cnotifications.freemarker.apache.org%3E
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://github.com/advisories/GHSA-hwj3-m3p6-hj38
Blast Radius: 43.8
Affected Packages
maven:dom4j:dom4j
Dependent packages: 1,969Dependent repositories: 29,699
Downloads:
Affected Version Ranges: <= 1.6.1
No known fixed version
All affected versions: 1.5.1, 1.5.2, 1.6.1
maven:org.dom4j:dom4j
Dependent packages: 1,037Dependent repositories: 4,336
Downloads:
Affected Version Ranges: >= 2.1.0, < 2.1.3, < 2.0.3
Fixed in: 2.1.3, 2.0.3
All affected versions: 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1
All unaffected versions: 2.0.3, 2.1.3, 2.1.4