Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2020-10683

dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.

Published

2020-05-01T19:15:12.927

Last Modified

2024-11-21T04:55:50.587

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

10.0

Impact Score

6.4

Weaknesses

Type: Primary
CWE-611

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	dom4j_project	dom4j	< 2.0.3	Yes
Application	dom4j_project	dom4j	< 2.1.3	Yes
Application	oracle	agile_plm	9.3.3	Yes
Application	oracle	agile_plm	9.3.5	Yes
Application	oracle	application_testing_suite	13.3.0.1	Yes
Application	oracle	banking_platform	≤ 2.10.0	Yes
Application	oracle	business_process_management_suite	12.2.1.3.0	Yes
Application	oracle	business_process_management_suite	12.2.1.4.0	Yes
Application	oracle	communications_application_session_controller	3.9m0p1	Yes
Application	oracle	communications_diameter_signaling_router	≤ 8.2.2	Yes
Application	oracle	communications_unified_inventory_management	7.3.0	Yes
Application	oracle	communications_unified_inventory_management	7.4.0	Yes
Application	oracle	data_integrator	12.2.1.3.0	Yes
Application	oracle	data_integrator	12.2.1.4.0	Yes
Application	oracle	documaker	≤ 12.6.4	Yes
Application	oracle	endeca_information_discovery_integrator	3.2.0	Yes
Application	oracle	enterprise_data_quality	11.1.1.9.0	Yes
Application	oracle	enterprise_data_quality	12.2.1.3.0	Yes
Application	oracle	enterprise_manager_base_platform	13.4.0.0	Yes
Application	oracle	financial_services_analytical_applications_infrastructure	≤ 8.1.0	Yes
Application	oracle	flexcube_core_banking	11.7.0	Yes
Application	oracle	flexcube_core_banking	11.8.0	Yes
Application	oracle	flexcube_core_banking	11.9.0	Yes
Application	oracle	flexcube_core_banking	11.10.0	Yes
Application	oracle	fusion_middleware	12.2.1.4.0	Yes
Application	oracle	health_sciences_empirica_signal	9.0	Yes
Application	oracle	health_sciences_information_manager	3.0.1	Yes
Application	oracle	insurance_policy_administration_j2ee	≤ 11.3.0	Yes
Application	oracle	insurance_policy_administration_j2ee	10.2.0	Yes
Application	oracle	insurance_policy_administration_j2ee	10.2.4	Yes
Application	oracle	insurance_policy_administration_j2ee	11.0.2	Yes
Application	oracle	insurance_rules_palette	≤ 11.3.0	Yes
Application	oracle	insurance_rules_palette	10.2.0	Yes
Application	oracle	insurance_rules_palette	10.2.4	Yes
Application	oracle	insurance_rules_palette	11.0.2	Yes
Application	oracle	jdeveloper	12.2.1.4.0	Yes
Application	oracle	primavera_p6_enterprise_project_portfolio_management	≤ 16.2.20.1	Yes
Application	oracle	primavera_p6_enterprise_project_portfolio_management	≤ 17.12.17.1	Yes
Application	oracle	primavera_p6_enterprise_project_portfolio_management	≤ 18.8.19.0	Yes
Application	oracle	primavera_p6_enterprise_project_portfolio_management	≤ 19.12.6.0	Yes
Application	oracle	rapid_planning	12.1	Yes
Application	oracle	rapid_planning	12.2	Yes
Application	oracle	retail_customer_management_and_segmentation_foundation	16.0	Yes
Application	oracle	retail_customer_management_and_segmentation_foundation	17.0	Yes
Application	oracle	retail_customer_management_and_segmentation_foundation	18.0	Yes
Application	oracle	retail_customer_management_and_segmentation_foundation	19.0	Yes
Application	oracle	retail_integration_bus	15.0	Yes
Application	oracle	retail_integration_bus	16.0	Yes
Application	oracle	retail_order_broker	15.0	Yes
Application	oracle	retail_order_broker	16.0	Yes
Application	oracle	retail_order_broker	18.0	Yes
Application	oracle	retail_order_broker	19.0	Yes
Application	oracle	retail_order_broker	19.1	Yes
Application	oracle	retail_price_management	14.0.3	Yes
Application	oracle	retail_price_management	14.1.3.0	Yes
Application	oracle	retail_price_management	15.0.3.0	Yes
Application	oracle	retail_price_management	16.0.3.0	Yes
Application	oracle	retail_xstore_point_of_service	15.0.4	Yes
Application	oracle	retail_xstore_point_of_service	16.0.6	Yes
Application	oracle	retail_xstore_point_of_service	17.0.4	Yes
Application	oracle	retail_xstore_point_of_service	18.0.3	Yes
Application	oracle	storagetek_tape_analytics_sw_tool	2.3	Yes
Application	oracle	utilities_framework	≤ 4.3.0.6.0	Yes
Application	oracle	utilities_framework	2.2.0.0.0	Yes
Application	oracle	utilities_framework	4.2.0.2.0	Yes
Application	oracle	utilities_framework	4.2.0.3.0	Yes
Application	oracle	utilities_framework	4.4.0.0.0	Yes
Application	oracle	utilities_framework	4.4.0.2.0	Yes
Application	oracle	webcenter_portal	11.1.1.9.0	Yes
Application	oracle	webcenter_portal	12.2.1.3.0	Yes
Application	oracle	webcenter_portal	12.2.1.4.0	Yes
Operating System	opensuse	leap	15.1	Yes
Application	netapp	oncommand_api_services	-	Yes
Application	netapp	oncommand_workflow_automation	-	Yes
Application	netapp	snap_creator_framework	-	Yes
Application	netapp	snapcenter	-	Yes
Application	netapp	snapmanager	-	Yes
Application	netapp	snapmanager	-	Yes
Operating System	canonical	ubuntu_linux	16.04	Yes

References

http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html Third Party Advisory ([email protected])
https://bugzilla.redhat.com/show_bug.cgi?id=1694235 Issue Tracking, Patch, Third Party Advisory ([email protected])
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html Third Party Advisory ([email protected])
https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658 Patch, Third Party Advisory ([email protected])
https://github.com/dom4j/dom4j/commits/version-2.0.3 Patch, Third Party Advisory ([email protected])
https://github.com/dom4j/dom4j/issues/87 Third Party Advisory ([email protected])
https://github.com/dom4j/dom4j/releases/tag/version-2.1.3 Release Notes, Third Party Advisory ([email protected])
https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8%40%3Cdev.velocity.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32%40%3Cdev.velocity.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51%40%3Cnotifications.freemarker.apache.org%3E ([email protected])
https://security.netapp.com/advisory/ntap-20200518-0002/ Third Party Advisory ([email protected])
https://usn.ubuntu.com/4575-1/ Third Party Advisory ([email protected])
https://www.oracle.com//security-alerts/cpujul2021.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpuApr2021.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujan2021.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujan2022.html Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujul2020.html Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujul2022.html ([email protected])
https://www.oracle.com/security-alerts/cpuoct2020.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpuoct2021.html Patch, Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://bugzilla.redhat.com/show_bug.cgi?id=1694235 Issue Tracking, Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/dom4j/dom4j/commits/version-2.0.3 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/dom4j/dom4j/issues/87 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/dom4j/dom4j/releases/tag/version-2.1.3 Release Notes, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8%40%3Cdev.velocity.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32%40%3Cdev.velocity.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51%40%3Cnotifications.freemarker.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20200518-0002/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://usn.ubuntu.com/4575-1/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com//security-alerts/cpujul2021.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuApr2021.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujan2021.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujan2022.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujul2020.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujul2022.html (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuoct2020.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuoct2021.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)