CVE-2020-10683 — XML External Entity (XXE) Injection in Project Dom4j

CWE-611 — XML External Entity (XXE) Injection21 documents9 sources

Severity

9.8CRITICALNVD

EPSS

7.0%

top 8.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dom4j Project Dom4j Oracle Banking Platform Oracle Communications Diameter Signaling Router +30 more

Timeline

PublishedMay 1

Latest updateJan 15

Description

dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages34 packages

▶NVDdom4j_project/dom4j2.1.0 — 2.1.3+1

▶Debiandom4j_project/dom4j< 2.1.3-1+3

▶Ubuntudom4j_project/dom4j< 1.6.1+dfsg.3-2ubuntu1.1

▶NVDoracle/financial_services_analytical_applications_infrastructure8.0.6 — 8.1.0

▶NVDoracle/application_testing_suite13.3.0.1

Also affects: Ubuntu Linux 16.04

Patches

Patch: bugzilla.redhat.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

dom4j vulnerability↗2020-10-13

▶

OSV

dom4j allows External Entities by default which might enable XXE attacks↗2020-06-05

▶

GHSA

dom4j allows External Entities by default which might enable XXE attacks↗2020-06-05

▶

OSV

CVE-2020-10683: dom4j before 2↗2020-05-01

▶

CVEList

CVE-2020-10683: dom4j before 2↗2020-05-01

▶

📋Vendor Advisories

Oracle

Oracle Oracle Utilities Applications Risk Matrix: Content Acquisition System (dom4j) — CVE-2020-10683↗2023-01-15

▶

Oracle

Oracle Oracle Commerce Risk Matrix: Dynamo Application Framework (dom4j) — CVE-2020-10683↗2022-10-15

▶

Oracle

Oracle Oracle Commerce Risk Matrix: Content Acquisition System (dom4j) — CVE-2020-10683↗2022-07-15

▶

Oracle

Oracle Oracle Insurance Applications Risk Matrix: Architecture (dom4j) — CVE-2020-10683↗2022-01-15

▶

Oracle

Oracle Oracle Financial Services Applications Risk Matrix: Bills And Collections (dom4j) — CVE-2020-10683↗2021-10-15

▶

💬Community

Bugzilla

CVE-2020-10683 dom4j: XML External Entity vulnerability in default SAX parser [fedora-all]↗2020-04-15

▶

Bugzilla

CVE-2020-10683 dom4j: XML External Entity vulnerability in default SAX parser↗2019-03-29

▶