Vulnerability Details CVE-2018-1000632
dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.012
EPSS Ranking 77.8%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
- https://access.redhat.com/errata/RHSA-2019:0362
- https://access.redhat.com/errata/RHSA-2019:0364
- https://access.redhat.com/errata/RHSA-2019:0365
- https://access.redhat.com/errata/RHSA-2019:0380
- https://access.redhat.com/errata/RHSA-2019:1159
- https://access.redhat.com/errata/RHSA-2019:1160
- https://access.redhat.com/errata/RHSA-2019:1161
- https://access.redhat.com/errata/RHSA-2019:1162
- https://access.redhat.com/errata/RHSA-2019:3172
- https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387
- https://github.com/dom4j/dom4j/issues/48
- https://ihacktoprotect.com/post/dom4j-xml-injection/
- https://lists.apache.org/thread.html/00571f362a7a2470fba50a31282c65637c40d2e21ebe6ee535a4ed74%40%3Ccommits.maven.apache.org%3E
- https://lists.apache.org/thread.html/4a77652531d62299a30815cf5f233af183425db8e3c9a824a814e768%40%3Cdev.maven.apache.org%3E
- https://lists.apache.org/thread.html/5a020ecaa3c701f408f612f7ba2ee37a021644c4a39da2079ed3ddbc%40%3Ccommits.maven.apache.org%3E
- https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E
- https://lists.apache.org/thread.html/7e9e78f0e4288fac6591992836d2a80d4df19161e54bd71ab4b8e458%40%3Cdev.maven.apache.org%3E
- https://lists.apache.org/thread.html/7f6e120e6ed473f4e00dde4c398fc6698eb383bd7857d20513e989ce%40%3Cdev.maven.apache.org%3E
- https://lists.apache.org/thread.html/9d4c1af6f702c3d6d6f229de57112ddccac8ce44446a01b7937ab9e0%40%3Ccommits.maven.apache.org%3E
- https://lists.apache.org/thread.html/d7d960b2778e35ec9b4d40c8efd468c7ce7163bcf6489b633491c89f%40%3Cdev.maven.apache.org%3E
- https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51%40%3Cnotifications.freemarker.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2018/09/msg00028.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IOOVVCRQE6ATFD2JM2EMDXOQXTRIVZGP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJULAHVR3I5SX7OSMXAG75IMNSAYOXGA/
- https://security.netapp.com/advisory/ntap-20190530-0001/
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
- https://access.redhat.com/errata/RHSA-2019:0362
- https://access.redhat.com/errata/RHSA-2019:0364
- https://access.redhat.com/errata/RHSA-2019:0365
- https://access.redhat.com/errata/RHSA-2019:0380
- https://access.redhat.com/errata/RHSA-2019:1159
- https://access.redhat.com/errata/RHSA-2019:1160
- https://access.redhat.com/errata/RHSA-2019:1161
- https://access.redhat.com/errata/RHSA-2019:1162
- https://access.redhat.com/errata/RHSA-2019:3172
- https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387
- https://github.com/dom4j/dom4j/issues/48
- https://ihacktoprotect.com/post/dom4j-xml-injection/
- https://lists.apache.org/thread.html/00571f362a7a2470fba50a31282c65637c40d2e21ebe6ee535a4ed74%40%3Ccommits.maven.apache.org%3E
- https://lists.apache.org/thread.html/4a77652531d62299a30815cf5f233af183425db8e3c9a824a814e768%40%3Cdev.maven.apache.org%3E
- https://lists.apache.org/thread.html/5a020ecaa3c701f408f612f7ba2ee37a021644c4a39da2079ed3ddbc%40%3Ccommits.maven.apache.org%3E
- https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E
- https://lists.apache.org/thread.html/7e9e78f0e4288fac6591992836d2a80d4df19161e54bd71ab4b8e458%40%3Cdev.maven.apache.org%3E
- https://lists.apache.org/thread.html/7f6e120e6ed473f4e00dde4c398fc6698eb383bd7857d20513e989ce%40%3Cdev.maven.apache.org%3E
- https://lists.apache.org/thread.html/9d4c1af6f702c3d6d6f229de57112ddccac8ce44446a01b7937ab9e0%40%3Ccommits.maven.apache.org%3E
- https://lists.apache.org/thread.html/d7d960b2778e35ec9b4d40c8efd468c7ce7163bcf6489b633491c89f%40%3Cdev.maven.apache.org%3E
- https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51%40%3Cnotifications.freemarker.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2018/09/msg00028.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IOOVVCRQE6ATFD2JM2EMDXOQXTRIVZGP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJULAHVR3I5SX7OSMXAG75IMNSAYOXGA/
- https://security.netapp.com/advisory/ntap-20190530-0001/
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
Products affected by CVE-2018-1000632
-
cpe:2.3:a:dom4j_project:dom4j:2.0.0
-
cpe:2.3:a:dom4j_project:dom4j:2.0.1
-
cpe:2.3:a:dom4j_project:dom4j:2.0.2
-
cpe:2.3:a:dom4j_project:dom4j:2.1.0
-
cpe:2.3:a:netapp:oncommand_workflow_automation:-
-
cpe:2.3:a:netapp:snap_creator_framework:-
-
cpe:2.3:a:netapp:snapcenter:-
-
cpe:2.3:a:netapp:snapmanager:-
-
cpe:2.3:a:oracle:flexcube_investor_servicing:12.0.4
-
cpe:2.3:a:oracle:flexcube_investor_servicing:12.1.0
-
cpe:2.3:a:oracle:flexcube_investor_servicing:12.3.0
-
cpe:2.3:a:oracle:flexcube_investor_servicing:12.4.0
-
cpe:2.3:a:oracle:flexcube_investor_servicing:14.0.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.1.0.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2.0.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2.18
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2.19.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2.19.3
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2.20
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2.20.1
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.1.0.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.10
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.11
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.12
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.12.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.12.0.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.12.1
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.12.12
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.12.14
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.12.15.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.12.17.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.12.17.1
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.12.4
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.2
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.2.16.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.3
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.4
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.5
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.6
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.7
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.8
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.9
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.1.0.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8.0.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8.11
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8.15.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8.16.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8.18.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8.18.2
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8.19.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:19.12.0.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:19.12.1.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:19.12.2.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:19.12.3.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:19.12.4.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:19.12.5.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:19.12.6.0
-
cpe:2.3:a:oracle:rapid_planning:12.1
-
cpe:2.3:a:oracle:rapid_planning:12.2
-
cpe:2.3:a:oracle:retail_integration_bus:15.0
-
cpe:2.3:a:oracle:retail_integration_bus:16.0
-
cpe:2.3:a:oracle:utilities_framework:2.2.0
-
cpe:2.3:a:oracle:utilities_framework:4.2.0.2.0
-
cpe:2.3:a:oracle:utilities_framework:4.2.0.3.0
-
cpe:2.3:a:oracle:utilities_framework:4.3.0.2.0
-
cpe:2.3:a:oracle:utilities_framework:4.3.0.3.0
-
cpe:2.3:a:oracle:utilities_framework:4.3.0.4
-
cpe:2.3:a:oracle:utilities_framework:4.3.0.4.0
-
cpe:2.3:a:oracle:utilities_framework:4.3.0.5.0
-
cpe:2.3:a:oracle:utilities_framework:4.3.0.6.0
-
cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0
-
cpe:2.3:a:oracle:utilities_framework:4.4.0.2
-
cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0
-
cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.4.0
-
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.1.0
-
cpe:2.3:a:redhat:satellite:6.6
-
cpe:2.3:a:redhat:satellite_capsule:6.6
-
cpe:2.3:o:debian:debian_linux:8.0
-
cpe:2.3:o:redhat:enterprise_linux:5.0
-
cpe:2.3:o:redhat:enterprise_linux:6.0
-
cpe:2.3:o:redhat:enterprise_linux:7.0