CVE-2020-10683

dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.

CVSS v3.0 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=1694235	Issue Tracking Patch Third Party Advisory
https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658	Patch Third Party Advisory
https://github.com/dom4j/dom4j/releases/tag/version-2.1.3	Release Notes Third Party Advisory
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html	Third Party Advisory
https://security.netapp.com/advisory/ntap-20200518-0002/	Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html	Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html	Third Party Advisory
https://github.com/dom4j/dom4j/commits/version-2.0.3	Patch Third Party Advisory
https://github.com/dom4j/dom4j/issues/87	Third Party Advisory
https://usn.ubuntu.com/4575-1/	Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html	Patch Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html	Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8%40%3Cdev.velocity.apache.org%3E
https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32%40%3Cdev.velocity.apache.org%3E
https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51%40%3Cnotifications.freemarker.apache.org%3E

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:dom4j_project:dom4j::::::::
	cpe:2.3:a:dom4j_project:dom4j::::::::

Configuration 2 (hide)

OR	cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.2.0:::::::*
	cpe:2.3:a:oracle:insurance_rules_palette:10.2.0:::::::*
	cpe:2.3:a:oracle:retail_integration_bus:15.0:::::::*
	cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:webcenter_portal:11.1.1.9.0:::::::*
	cpe:2.3:a:oracle:utilities_framework:4.2.0.3.0:::::::*
	cpe:2.3:a:oracle:utilities_framework:4.2.0.2.0:::::::*
	cpe:2.3:a:oracle:utilities_framework:2.2.0.0.0:::::::*
	cpe:2.3:a:oracle:flexcube_core_banking:11.7.0:::::::*
	cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.2.0:::::::*
	cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:::::::*
	cpe:2.3:a:oracle:retail_order_broker:15.0:::::::*
	cpe:2.3:a:oracle:retail_order_broker:16.0:::::::*
	cpe:2.3:a:oracle:retail_integration_bus:16.0:::::::*
	cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:16.0:::::::*
	cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:17.0:::::::*
	cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:18.0:::::::*
	cpe:2.3:a:oracle:enterprise_data_quality:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:data_integrator:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:::::::*
	cpe:2.3:a:oracle:agile_plm:9.3.3:::::::*
	cpe:2.3:a:oracle:agile_plm:9.3.5:::::::*
	cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:::::::*
	cpe:2.3:a:oracle:fusion_middleware:12.2.1.4.0:::::::*
	cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure::::::::
	cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:::::::*
	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management::::::::
	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management::::::::
	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management::::::::
	cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:::::::*
	cpe:2.3:a:oracle:rapid_planning:12.1:::::::*
	cpe:2.3:a:oracle:rapid_planning:12.2:::::::*
	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management::::::::
	cpe:2.3:a:oracle:utilities_framework::::::::
	cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:::::::*
	cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:::::::*
	cpe:2.3:a:oracle:communications_diameter_signaling_router::::::::
	cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:::::::*
	cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.0:::::::*
	cpe:2.3:a:oracle:communications_application_session_controller:3.9m0p1:::::::*
	cpe:2.3:a:oracle:data_integrator:12.2.1.4.0:::::::*
	cpe:2.3:a:oracle:enterprise_data_quality:11.1.1.9.0:::::::*
	cpe:2.3:a:oracle:health_sciences_information_manager:3.0.1:::::::*
	cpe:2.3:a:oracle:banking_platform::::::::
	cpe:2.3:a:oracle:retail_order_broker:18.0:::::::*
	cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:::::::*
	cpe:2.3:a:oracle:insurance_rules_palette:10.2.4:::::::*
	cpe:2.3:a:oracle:insurance_rules_palette:11.0.2:::::::*
	cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.2.4:::::::*
	cpe:2.3:a:oracle:insurance_policy_administration_j2ee:11.0.2:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:::::::*
	cpe:2.3:a:oracle:health_sciences_empirica_signal:9.0:::::::*
	cpe:2.3:a:oracle:insurance_rules_palette::::::::
	cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0.4:::::::*
	cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3:::::::*
	cpe:2.3:a:oracle:retail_price_management:14.0.3:::::::*
	cpe:2.3:a:oracle:retail_price_management:14.1.3.0:::::::*
	cpe:2.3:a:oracle:retail_price_management:15.0.3.0:::::::*
	cpe:2.3:a:oracle:retail_price_management:16.0.3.0:::::::*
	cpe:2.3:a:oracle:retail_order_broker:19.0:::::::*
	cpe:2.3:a:oracle:retail_order_broker:19.1:::::::*
cpe:2.3:a:oracle:documaker::::::::
cpe:2.3:a:oracle:flexcube_core_banking:11.8.0:::::::*
cpe:2.3:a:oracle:flexcube_core_banking:11.10.0:::::::*
cpe:2.3:a:oracle:flexcube_core_banking:11.9.0:::::::*
cpe:2.3:a:oracle:insurance_policy_administration_j2ee::::::::

Configuration 3 (hide)

cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

Configuration 4 (hide)

OR	cpe:2.3:a:netapp:snap_creator_framework:-:::::::*
	cpe:2.3:a:netapp:snapcenter:-:::::::*
	cpe:2.3:a:netapp:snapmanager:-:::::oracle::
	cpe:2.3:a:netapp:snapmanager:-:::::sap::
	cpe:2.3:a:netapp:oncommand_workflow_automation:-:::::::*
	cpe:2.3:a:netapp:oncommand_api_services:-:::::::*

Configuration 5 (hide)

cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*

History

07 Nov 2023, 03:14

Type	Values Removed	Values Added
References	{'url': 'https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32@%3Cdev.velocity.apache.org%3E', 'name': '[velocity-dev] 20201203 Re: Use of external DTDs - CVE-2020-10683', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'MLIST'} {'url': 'https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51@%3Cnotifications.freemarker.apache.org%3E', 'name': '[freemarker-notifications] 20210906 [jira] [Created] (FREEMARKER-190) The jar dom4j has known security issue that Freemarker compiles dependend on it', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'MLIST'} {'url': 'https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8@%3Cdev.velocity.apache.org%3E', 'name': '[velocity-dev] 20201203 Use of external DTDs - CVE-2020-10683', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'MLIST'}	() https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8%40%3Cdev.velocity.apache.org%3E - () https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32%40%3Cdev.velocity.apache.org%3E - () https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51%40%3Cnotifications.freemarker.apache.org%3E -

Information

Published : 2020-05-01 19:15

Updated : 2023-11-07 03:14

NVD link : CVE-2020-10683

Mitre link : CVE-2020-10683

JSON object : View

Products Affected

oracle

webcenter_portal
business_process_management_suite
insurance_policy_administration_j2ee
communications_diameter_signaling_router
jdeveloper
retail_xstore_point_of_service
documaker
rapid_planning
flexcube_core_banking
financial_services_analytical_applications_infrastructure
data_integrator
endeca_information_discovery_integrator
insurance_rules_palette
storagetek_tape_analytics_sw_tool
health_sciences_information_manager
enterprise_data_quality
banking_platform
fusion_middleware
utilities_framework
retail_customer_management_and_segmentation_foundation
communications_application_session_controller
retail_integration_bus
health_sciences_empirica_signal
agile_plm
primavera_p6_enterprise_project_portfolio_management
retail_price_management
communications_unified_inventory_management
enterprise_manager_base_platform
application_testing_suite
retail_order_broker

netapp

snapmanager
snapcenter
oncommand_workflow_automation
snap_creator_framework
oncommand_api_services

canonical

ubuntu_linux

opensuse

leap

dom4j_project

dom4j

CWE

CWE-611

Improper Restriction of XML External Entity Reference

9.8 /10