CVE-2020-10683

dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 80%
VendorProductVersion
dom4j_projectdom4j
𝑥
< 2.0.3
dom4j_projectdom4j
2.1.0 ≤
𝑥
< 2.1.3
oracleagile_plm
9.3.3
oracleagile_plm
9.3.5
oracleapplication_testing_suite
13.3.0.1
oraclebanking_platform
2.4.0 ≤
𝑥
≤ 2.10.0
oraclebusiness_process_management_suite
12.2.1.3.0
oraclebusiness_process_management_suite
12.2.1.4.0
oraclecommunications_application_session_controller
3.9m0p1:m0p1
oraclecommunications_diameter_signaling_router
8.0.0 ≤
𝑥
≤ 8.2.2
oraclecommunications_unified_inventory_management
7.3.0
oraclecommunications_unified_inventory_management
7.4.0
oracledata_integrator
12.2.1.3.0
oracledata_integrator
12.2.1.4.0
oracledocumaker
12.6.0 ≤
𝑥
≤ 12.6.4
oracleendeca_information_discovery_integrator
3.2.0
oracleenterprise_data_quality
11.1.1.9.0
oracleenterprise_data_quality
12.2.1.3.0
oracleenterprise_manager_base_platform
13.4.0.0
oraclefinancial_services_analytical_applications_infrastructure
8.0.6 ≤
𝑥
≤ 8.1.0
oracleflexcube_core_banking
11.7.0
oracleflexcube_core_banking
11.8.0
oracleflexcube_core_banking
11.9.0
oracleflexcube_core_banking
11.10.0
oraclefusion_middleware
12.2.1.4.0
oraclehealth_sciences_empirica_signal
9.0
oraclehealth_sciences_information_manager
3.0.1
oracleinsurance_policy_administration_j2ee
11.1.0 ≤
𝑥
≤ 11.3.0
oracleinsurance_policy_administration_j2ee
10.2.0
oracleinsurance_policy_administration_j2ee
10.2.4
oracleinsurance_policy_administration_j2ee
11.0.2
oracleinsurance_rules_palette
11.1.0 ≤
𝑥
≤ 11.3.0
oracleinsurance_rules_palette
10.2.0
oracleinsurance_rules_palette
10.2.4
oracleinsurance_rules_palette
11.0.2
oraclejdeveloper
12.2.1.4.0
oracleprimavera_p6_enterprise_project_portfolio_management
16.1.0.0 ≤
𝑥
≤ 16.2.20.1
oracleprimavera_p6_enterprise_project_portfolio_management
17.1.0.0 ≤
𝑥
≤ 17.12.17.1
oracleprimavera_p6_enterprise_project_portfolio_management
18.1.0.0 ≤
𝑥
≤ 18.8.19.0
oracleprimavera_p6_enterprise_project_portfolio_management
19.12.0.0 ≤
𝑥
≤ 19.12.6.0
oraclerapid_planning
12.1
oraclerapid_planning
12.2
oracleretail_customer_management_and_segmentation_foundation
16.0
oracleretail_customer_management_and_segmentation_foundation
17.0
oracleretail_customer_management_and_segmentation_foundation
18.0
oracleretail_customer_management_and_segmentation_foundation
19.0
oracleretail_integration_bus
15.0
oracleretail_integration_bus
16.0
oracleretail_order_broker
15.0
oracleretail_order_broker
16.0
oracleretail_order_broker
18.0
oracleretail_order_broker
19.0
oracleretail_order_broker
19.1
oracleretail_price_management
14.0.3
oracleretail_price_management
14.1.3.0
oracleretail_price_management
15.0.3.0
oracleretail_price_management
16.0.3.0
oracleretail_xstore_point_of_service
15.0.4
oracleretail_xstore_point_of_service
16.0.6
oracleretail_xstore_point_of_service
17.0.4
oracleretail_xstore_point_of_service
18.0.3
oraclestoragetek_tape_analytics_sw_tool
2.3
oracleutilities_framework
4.3.0.1.0 ≤
𝑥
≤ 4.3.0.6.0
oracleutilities_framework
2.2.0.0.0
oracleutilities_framework
4.2.0.2.0
oracleutilities_framework
4.2.0.3.0
oracleutilities_framework
4.4.0.0.0
oracleutilities_framework
4.4.0.2.0
oraclewebcenter_portal
11.1.1.9.0
oraclewebcenter_portal
12.2.1.3.0
oraclewebcenter_portal
12.2.1.4.0
opensuseleap
15.1
netapponcommand_api_services
-
netapponcommand_workflow_automation
-
netappsnap_creator_framework
-
netappsnapcenter
-
netappsnapmanager
-
netappsnapmanager
-
canonicalubuntu_linux
16.04
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
dom4j
bullseye
2.1.3-1
fixed
buster
no-dsa
stretch
no-dsa
bookworm
2.1.3-2
fixed
sid
2.1.4-1
fixed
trixie
2.1.4-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
dom4j
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
not-affected
jammy
not-affected
impish
not-affected
hirsute
not-affected
groovy
ignored
focal
needed
eoan
ignored
bionic
needed
xenial
Fixed 1.6.1+dfsg.3-2ubuntu1.1
released
trusty
needs-triage
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html
https://bugzilla.redhat.com/show_bug.cgi?id=1694235
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658
https://github.com/dom4j/dom4j/commits/version-2.0.3
https://github.com/dom4j/dom4j/issues/87
https://github.com/dom4j/dom4j/releases/tag/version-2.1.3
https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8%40%3Cdev.velocity.apache.org%3E
https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32%40%3Cdev.velocity.apache.org%3E
https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51%40%3Cnotifications.freemarker.apache.org%3E
https://security.netapp.com/advisory/ntap-20200518-0002/
https://usn.ubuntu.com/4575-1/
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/security-alerts/cpuoct2021.html
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html
https://bugzilla.redhat.com/show_bug.cgi?id=1694235
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658
https://github.com/dom4j/dom4j/commits/version-2.0.3
https://github.com/dom4j/dom4j/issues/87
https://github.com/dom4j/dom4j/releases/tag/version-2.1.3
https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8%40%3Cdev.velocity.apache.org%3E
https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32%40%3Cdev.velocity.apache.org%3E
https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51%40%3Cnotifications.freemarker.apache.org%3E
https://security.netapp.com/advisory/ntap-20200518-0002/
https://usn.ubuntu.com/4575-1/
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/security-alerts/cpuoct2021.html