CVE-2020-10683

dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html	Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1694235	Issue Tracking Patch Third Party Advisory
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html	Third Party Advisory
https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658	Patch Third Party Advisory
https://github.com/dom4j/dom4j/commits/version-2.0.3	Patch Third Party Advisory
https://github.com/dom4j/dom4j/issues/87	Third Party Advisory
https://github.com/dom4j/dom4j/releases/tag/version-2.1.3	Release Notes Third Party Advisory
https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8%40%3Cdev.velocity.apache.org%3E
https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32%40%3Cdev.velocity.apache.org%3E
https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51%40%3Cnotifications.freemarker.apache.org%3E
https://security.netapp.com/advisory/ntap-20200518-0002/	Third Party Advisory
https://usn.ubuntu.com/4575-1/	Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html	Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html	Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpuoct2020.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:dom4j_project:dom4j::::::::
	cpe:2.3:a:dom4j_project:dom4j::::::::

Configuration 2 (hide)

OR	cpe:2.3:a:oracle:agile_plm:9.3.3:::::::*
	cpe:2.3:a:oracle:agile_plm:9.3.5:::::::*
	cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:::::::*
	cpe:2.3:a:oracle:banking_platform::::::::
	cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:::::::*
	cpe:2.3:a:oracle:communications_application_session_controller:3.9m0p1:::::::*
	cpe:2.3:a:oracle:communications_diameter_signaling_router::::::::
	cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.0:::::::*
	cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:::::::*
	cpe:2.3:a:oracle:data_integrator:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:data_integrator:12.2.1.4.0:::::::*
	cpe:2.3:a:oracle:documaker::::::::
	cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.2.0:::::::*
	cpe:2.3:a:oracle:enterprise_data_quality:11.1.1.9.0:::::::*
	cpe:2.3:a:oracle:enterprise_data_quality:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:::::::*
	cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure::::::::
	cpe:2.3:a:oracle:flexcube_core_banking:11.7.0:::::::*
	cpe:2.3:a:oracle:flexcube_core_banking:11.8.0:::::::*
	cpe:2.3:a:oracle:flexcube_core_banking:11.9.0:::::::*
	cpe:2.3:a:oracle:flexcube_core_banking:11.10.0:::::::*
	cpe:2.3:a:oracle:fusion_middleware:12.2.1.4.0:::::::*
	cpe:2.3:a:oracle:health_sciences_empirica_signal:9.0:::::::*
	cpe:2.3:a:oracle:health_sciences_information_manager:3.0.1:::::::*
	cpe:2.3:a:oracle:insurance_policy_administration_j2ee::::::::
	cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.2.0:::::::*
	cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.2.4:::::::*
	cpe:2.3:a:oracle:insurance_policy_administration_j2ee:11.0.2:::::::*
	cpe:2.3:a:oracle:insurance_rules_palette::::::::
	cpe:2.3:a:oracle:insurance_rules_palette:10.2.0:::::::*
	cpe:2.3:a:oracle:insurance_rules_palette:10.2.4:::::::*
	cpe:2.3:a:oracle:insurance_rules_palette:11.0.2:::::::*
	cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:::::::*
	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management::::::::
	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management::::::::
	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management::::::::
	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management::::::::
	cpe:2.3:a:oracle:rapid_planning:12.1:::::::*
	cpe:2.3:a:oracle:rapid_planning:12.2:::::::*
	cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:16.0:::::::*
	cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:17.0:::::::*
	cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:18.0:::::::*
	cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:::::::*
	cpe:2.3:a:oracle:retail_integration_bus:15.0:::::::*
	cpe:2.3:a:oracle:retail_integration_bus:16.0:::::::*
	cpe:2.3:a:oracle:retail_order_broker:15.0:::::::*
	cpe:2.3:a:oracle:retail_order_broker:16.0:::::::*
	cpe:2.3:a:oracle:retail_order_broker:18.0:::::::*
	cpe:2.3:a:oracle:retail_order_broker:19.0:::::::*
	cpe:2.3:a:oracle:retail_order_broker:19.1:::::::*
	cpe:2.3:a:oracle:retail_price_management:14.0.3:::::::*
	cpe:2.3:a:oracle:retail_price_management:14.1.3.0:::::::*
	cpe:2.3:a:oracle:retail_price_management:15.0.3.0:::::::*
	cpe:2.3:a:oracle:retail_price_management:16.0.3.0:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0.4:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:::::::*
	cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3:::::::*
	cpe:2.3:a:oracle:utilities_framework::::::::
	cpe:2.3:a:oracle:utilities_framework:2.2.0.0.0:::::::*
	cpe:2.3:a:oracle:utilities_framework:4.2.0.2.0:::::::*
	cpe:2.3:a:oracle:utilities_framework:4.2.0.3.0:::::::*
cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:::::::*
cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:::::::*
cpe:2.3:a:oracle:webcenter_portal:11.1.1.9.0:::::::*
cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:::::::*
cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:::::::*

Configuration 3 (hide)

cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

Configuration 4 (hide)

OR	cpe:2.3:a:netapp:oncommand_api_services:-:::::::*
	cpe:2.3:a:netapp:oncommand_workflow_automation:-:::::::*
	cpe:2.3:a:netapp:snap_creator_framework:-:::::::*
	cpe:2.3:a:netapp:snapcenter:-:::::::*
	cpe:2.3:a:netapp:snapmanager:-:::::oracle::
	cpe:2.3:a:netapp:snapmanager:-:::::sap::

Configuration 5 (hide)

cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*

History

07 Nov 2023, 03:14

Type	Values Removed	Values Added
References	{'url': 'https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51@%3Cnotifications.freemarker.apache.org%3E', 'name': '[freemarker-notifications] 20210906 [jira] [Created] (FREEMARKER-190) The jar dom4j has known security issue that Freemarker compiles dependend on it', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'MLIST'} {'url': 'https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8@%3Cdev.velocity.apache.org%3E', 'name': '[velocity-dev] 20201203 Use of external DTDs - CVE-2020-10683', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'MLIST'} {'url': 'https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32@%3Cdev.velocity.apache.org%3E', 'name': '[velocity-dev] 20201203 Re: Use of external DTDs - CVE-2020-10683', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'MLIST'}	() https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8%40%3Cdev.velocity.apache.org%3E - () https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32%40%3Cdev.velocity.apache.org%3E - () https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51%40%3Cnotifications.freemarker.apache.org%3E -

Information

Published : 2020-05-01 19:15

Updated : 2024-02-28 17:47

NVD link : CVE-2020-10683

Mitre link : CVE-2020-10683

CVE.ORG link : CVE-2020-10683

JSON object : View

Products Affected

oracle

endeca_information_discovery_integrator
retail_integration_bus
retail_customer_management_and_segmentation_foundation
enterprise_manager_base_platform
insurance_rules_palette
application_testing_suite
retail_price_management
communications_diameter_signaling_router
retail_order_broker
retail_xstore_point_of_service
enterprise_data_quality
primavera_p6_enterprise_project_portfolio_management
business_process_management_suite
agile_plm
documaker
communications_unified_inventory_management
communications_application_session_controller
rapid_planning
insurance_policy_administration_j2ee
jdeveloper
utilities_framework
banking_platform
data_integrator
financial_services_analytical_applications_infrastructure
webcenter_portal
health_sciences_information_manager
flexcube_core_banking
fusion_middleware
storagetek_tape_analytics_sw_tool
health_sciences_empirica_signal

netapp

oncommand_api_services
snapmanager
snapcenter
snap_creator_framework
oncommand_workflow_automation

dom4j_project

dom4j

opensuse

leap

canonical

ubuntu_linux

CWE

CWE-611

Improper Restriction of XML External Entity Reference

9.8 /10