Vulnerability Details CVE-2020-10683
dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.024
EPSS Ranking 84.1%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1694235
- https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
- https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658
- https://github.com/dom4j/dom4j/commits/version-2.0.3
- https://github.com/dom4j/dom4j/issues/87
- https://github.com/dom4j/dom4j/releases/tag/version-2.1.3
- https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8%40%3Cdev.velocity.apache.org%3E
- https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32%40%3Cdev.velocity.apache.org%3E
- https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51%40%3Cnotifications.freemarker.apache.org%3E
- https://security.netapp.com/advisory/ntap-20200518-0002/
- https://usn.ubuntu.com/4575-1/
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1694235
- https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
- https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658
- https://github.com/dom4j/dom4j/commits/version-2.0.3
- https://github.com/dom4j/dom4j/issues/87
- https://github.com/dom4j/dom4j/releases/tag/version-2.1.3
- https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8%40%3Cdev.velocity.apache.org%3E
- https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32%40%3Cdev.velocity.apache.org%3E
- https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51%40%3Cnotifications.freemarker.apache.org%3E
- https://security.netapp.com/advisory/ntap-20200518-0002/
- https://usn.ubuntu.com/4575-1/
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
Products affected by CVE-2020-10683
-
cpe:2.3:a:dom4j_project:dom4j:1.1
-
cpe:2.3:a:dom4j_project:dom4j:1.2
-
cpe:2.3:a:dom4j_project:dom4j:1.3
-
cpe:2.3:a:dom4j_project:dom4j:1.4
-
cpe:2.3:a:dom4j_project:dom4j:1.4.1
-
cpe:2.3:a:dom4j_project:dom4j:1.5
-
cpe:2.3:a:dom4j_project:dom4j:1.5.1
-
cpe:2.3:a:dom4j_project:dom4j:1.5.2
-
cpe:2.3:a:dom4j_project:dom4j:1.6
-
cpe:2.3:a:dom4j_project:dom4j:1.6.1
-
cpe:2.3:a:dom4j_project:dom4j:2.0.0
-
cpe:2.3:a:dom4j_project:dom4j:2.0.1
-
cpe:2.3:a:dom4j_project:dom4j:2.0.2
-
cpe:2.3:a:dom4j_project:dom4j:2.1.0
-
cpe:2.3:a:dom4j_project:dom4j:2.1.1
-
cpe:2.3:a:dom4j_project:dom4j:2.1.2
-
cpe:2.3:a:netapp:oncommand_api_services:-
-
cpe:2.3:a:netapp:oncommand_workflow_automation:-
-
cpe:2.3:a:netapp:snap_creator_framework:-
-
cpe:2.3:a:netapp:snapcenter:-
-
cpe:2.3:a:netapp:snapmanager:-
-
cpe:2.3:a:oracle:agile_plm:9.3.3
-
cpe:2.3:a:oracle:agile_plm:9.3.5
-
cpe:2.3:a:oracle:application_testing_suite:13.3.0.1
-
cpe:2.3:a:oracle:banking_platform:2.10.0
-
cpe:2.3:a:oracle:banking_platform:2.4.0
-
cpe:2.3:a:oracle:banking_platform:2.4.1
-
cpe:2.3:a:oracle:banking_platform:2.5.0
-
cpe:2.3:a:oracle:banking_platform:2.6.0
-
cpe:2.3:a:oracle:banking_platform:2.6.1
-
cpe:2.3:a:oracle:banking_platform:2.6.2
-
cpe:2.3:a:oracle:banking_platform:2.7.0
-
cpe:2.3:a:oracle:banking_platform:2.7.1
-
cpe:2.3:a:oracle:banking_platform:2.8.0
-
cpe:2.3:a:oracle:banking_platform:2.9.0
-
cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0
-
cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0
-
cpe:2.3:a:oracle:communications_application_session_controller:3.9m0p1
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0.0
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.1
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.1
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.2
-
cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.0
-
cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0
-
cpe:2.3:a:oracle:data_integrator:12.2.1.3.0
-
cpe:2.3:a:oracle:data_integrator:12.2.1.4.0
-
cpe:2.3:a:oracle:documaker:12.6.0
-
cpe:2.3:a:oracle:documaker:12.6.3
-
cpe:2.3:a:oracle:documaker:12.6.4
-
cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.2.0
-
cpe:2.3:a:oracle:enterprise_data_quality:11.1.1.9.0
-
cpe:2.3:a:oracle:enterprise_data_quality:12.2.1.3.0
-
cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6.0.0
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6.0.1
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6.1.0
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6.2.0
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6.3.0
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6.4.0
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7.0.0
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7.1.0
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7.2.0
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.8
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.8.0.0
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.9
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.9.0.0
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.0
-
cpe:2.3:a:oracle:flexcube_core_banking:11.10.0
-
cpe:2.3:a:oracle:flexcube_core_banking:11.7.0
-
cpe:2.3:a:oracle:flexcube_core_banking:11.8.0
-
cpe:2.3:a:oracle:flexcube_core_banking:11.9.0
-
cpe:2.3:a:oracle:fusion_middleware:12.2.1.4.0
-
cpe:2.3:a:oracle:health_sciences_empirica_signal:9.0
-
cpe:2.3:a:oracle:health_sciences_information_manager:3.0.1
-
cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.2.0
-
cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.2.4
-
cpe:2.3:a:oracle:insurance_policy_administration_j2ee:11.0.2
-
cpe:2.3:a:oracle:insurance_policy_administration_j2ee:11.1.0
-
cpe:2.3:a:oracle:insurance_policy_administration_j2ee:11.1.0.15
-
cpe:2.3:a:oracle:insurance_policy_administration_j2ee:11.2.0
-
cpe:2.3:a:oracle:insurance_policy_administration_j2ee:11.2.0.26
-
cpe:2.3:a:oracle:insurance_policy_administration_j2ee:11.2.2.0
-
cpe:2.3:a:oracle:insurance_rules_palette:10.2.0
-
cpe:2.3:a:oracle:insurance_rules_palette:10.2.4
-
cpe:2.3:a:oracle:insurance_rules_palette:11.0.2
-
cpe:2.3:a:oracle:insurance_rules_palette:11.1.0
-
cpe:2.3:a:oracle:insurance_rules_palette:11.1.0.15
-
cpe:2.3:a:oracle:insurance_rules_palette:11.2.0
-
cpe:2.3:a:oracle:insurance_rules_palette:11.2.0.26
-
cpe:2.3:a:oracle:insurance_rules_palette:11.2.7
-
cpe:2.3:a:oracle:insurance_rules_palette:11.2.8
-
cpe:2.3:a:oracle:insurance_rules_palette:11.3.0
-
cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.1.0.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2.0.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2.18
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2.19.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2.19.3
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2.20
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2.20.1
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.1.0.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.10
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.11
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.12
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.12.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.12.0.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.12.1
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.12.12
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.12.14
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.12.15.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.12.17.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.12.17.1
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.12.4
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.2
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.2.16.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.3
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.4
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.5
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.6
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.7
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.8
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.9
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.1.0.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8.0.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8.11
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8.15.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8.16.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8.18.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8.18.2
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8.19.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:19.12.0.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:19.12.1.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:19.12.2.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:19.12.3.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:19.12.4.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:19.12.5.0
-
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:19.12.6.0
-
cpe:2.3:a:oracle:rapid_planning:12.1
-
cpe:2.3:a:oracle:rapid_planning:12.2
-
cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:16.0
-
cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:17.0
-
cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:18.0
-
cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0
-
cpe:2.3:a:oracle:retail_integration_bus:15.0
-
cpe:2.3:a:oracle:retail_integration_bus:16.0
-
cpe:2.3:a:oracle:retail_order_broker:15.0
-
cpe:2.3:a:oracle:retail_order_broker:16.0
-
cpe:2.3:a:oracle:retail_order_broker:18.0
-
cpe:2.3:a:oracle:retail_order_broker:19.0
-
cpe:2.3:a:oracle:retail_order_broker:19.1
-
cpe:2.3:a:oracle:retail_price_management:14.0.3
-
cpe:2.3:a:oracle:retail_price_management:14.1.3.0
-
cpe:2.3:a:oracle:retail_price_management:15.0.3.0
-
cpe:2.3:a:oracle:retail_price_management:16.0.3.0
-
cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0.4
-
cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6
-
cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4
-
cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3
-
cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3
-
cpe:2.3:a:oracle:utilities_framework:2.2.0.0.0
-
cpe:2.3:a:oracle:utilities_framework:4.2.0.2.0
-
cpe:2.3:a:oracle:utilities_framework:4.2.0.3.0
-
cpe:2.3:a:oracle:utilities_framework:4.3.0.1.0
-
cpe:2.3:a:oracle:utilities_framework:4.3.0.2.0
-
cpe:2.3:a:oracle:utilities_framework:4.3.0.3.0
-
cpe:2.3:a:oracle:utilities_framework:4.3.0.4
-
cpe:2.3:a:oracle:utilities_framework:4.3.0.4.0
-
cpe:2.3:a:oracle:utilities_framework:4.3.0.5.0
-
cpe:2.3:a:oracle:utilities_framework:4.3.0.6.0
-
cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0
-
cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0
-
cpe:2.3:a:oracle:webcenter_portal:11.1.1.9.0
-
cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0
-
cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0
-
cpe:2.3:o:canonical:ubuntu_linux:16.04
-
cpe:2.3:o:opensuse:leap:15.1