CVE-2020-10683

dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html	Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1694235	Issue Tracking Patch Third Party Advisory
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html	Third Party Advisory
https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658	Patch Third Party Advisory
https://github.com/dom4j/dom4j/commits/version-2.0.3	Patch Third Party Advisory
https://github.com/dom4j/dom4j/issues/87	Third Party Advisory
https://github.com/dom4j/dom4j/releases/tag/version-2.1.3	Release Notes Third Party Advisory
https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8%40%3Cdev.velocity.apache.org%3E
https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32%40%3Cdev.velocity.apache.org%3E
https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51%40%3Cnotifications.freemarker.apache.org%3E
https://security.netapp.com/advisory/ntap-20200518-0002/	Third Party Advisory
https://usn.ubuntu.com/4575-1/	Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html	Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html	Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpuoct2020.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:dom4j_project:dom4j::::::::
	cpe:2.3:a:dom4j_project:dom4j::::::::

Configuration 2 (hide)

OR	cpe:2.3:a:oracle:agile_plm:9.3.3:::::::*
	cpe:2.3:a:oracle:agile_plm:9.3.5:::::::*
	cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:::::::*
	cpe:2.3:a:oracle:banking_platform::::::::
	cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:::::::*
	cpe:2.3:a:oracle:communications_application_session_controller:3.9m0p1:::::::*
	cpe:2.3:a:oracle:communications_diameter_signaling_router::::::::
	cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.0:::::::*
	cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:::::::*
	cpe:2.3:a:oracle:data_integrator:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:data_integrator:12.2.1.4.0:::::::*
	cpe:2.3:a:oracle:documaker::::::::
	cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.2.0:::::::*
	cpe:2.3:a:oracle:enterprise_data_quality:11.1.1.9.0:::::::*
	cpe:2.3:a:oracle:enterprise_data_quality:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:::::::*
	cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure::::::::
	cpe:2.3:a:oracle:flexcube_core_banking:11.7.0:::::::*
	cpe:2.3:a:oracle:flexcube_core_banking:11.8.0:::::::*
	cpe:2.3:a:oracle:flexcube_core_banking:11.9.0:::::::*
	cpe:2.3:a:oracle:flexcube_core_banking:11.10.0:::::::*
	cpe:2.3:a:oracle:fusion_middleware:12.2.1.4.0:::::::*
	cpe:2.3:a:oracle:health_sciences_empirica_signal:9.0:::::::*
	cpe:2.3:a:oracle:health_sciences_information_manager:3.0.1:::::::*
	cpe:2.3:a:oracle:insurance_policy_administration_j2ee::::::::
	cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.2.0:::::::*
	cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.2.4:::::::*
	cpe:2.3:a:oracle:insurance_policy_administration_j2ee:11.0.2:::::::*
	cpe:2.3:a:oracle:insurance_rules_palette::::::::
	cpe:2.3:a:oracle:insurance_rules_palette:10.2.0:::::::*
	cpe:2.3:a:oracle:insurance_rules_palette:10.2.4:::::::*
	cpe:2.3:a:oracle:insurance_rules_palette:11.0.2:::::::*
	cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:::::::*
	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management::::::::
	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management::::::::
	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management::::::::
	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management::::::::
	cpe:2.3:a:oracle:rapid_planning:12.1:::::::*
	cpe:2.3:a:oracle:rapid_planning:12.2:::::::*
	cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:16.0:::::::*
	cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:17.0:::::::*
	cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:18.0:::::::*
	cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:::::::*
	cpe:2.3:a:oracle:retail_integration_bus:15.0:::::::*
	cpe:2.3:a:oracle:retail_integration_bus:16.0:::::::*
	cpe:2.3:a:oracle:retail_order_broker:15.0:::::::*
	cpe:2.3:a:oracle:retail_order_broker:16.0:::::::*
	cpe:2.3:a:oracle:retail_order_broker:18.0:::::::*
	cpe:2.3:a:oracle:retail_order_broker:19.0:::::::*
	cpe:2.3:a:oracle:retail_order_broker:19.1:::::::*
	cpe:2.3:a:oracle:retail_price_management:14.0.3:::::::*
	cpe:2.3:a:oracle:retail_price_management:14.1.3.0:::::::*
	cpe:2.3:a:oracle:retail_price_management:15.0.3.0:::::::*
	cpe:2.3:a:oracle:retail_price_management:16.0.3.0:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0.4:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:::::::*
	cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3:::::::*
	cpe:2.3:a:oracle:utilities_framework::::::::
	cpe:2.3:a:oracle:utilities_framework:2.2.0.0.0:::::::*
	cpe:2.3:a:oracle:utilities_framework:4.2.0.2.0:::::::*
	cpe:2.3:a:oracle:utilities_framework:4.2.0.3.0:::::::*
cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:::::::*
cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:::::::*
cpe:2.3:a:oracle:webcenter_portal:11.1.1.9.0:::::::*
cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:::::::*
cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:::::::*

Configuration 3 (hide)

cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

Configuration 4 (hide)

OR	cpe:2.3:a:netapp:oncommand_api_services:-:::::::*
	cpe:2.3:a:netapp:oncommand_workflow_automation:-:::::::*
	cpe:2.3:a:netapp:snap_creator_framework:-:::::::*
	cpe:2.3:a:netapp:snapcenter:-:::::::*
	cpe:2.3:a:netapp:snapmanager:-:::::oracle::
	cpe:2.3:a:netapp:snapmanager:-:::::sap::

Configuration 5 (hide)

cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*

History

25 Jul 2022, 18:15

Type	Values Removed	Values Added
References		(N/A) https://www.oracle.com/security-alerts/cpujul2022.html -

22 Feb 2022, 20:02

Type	Values Removed	Values Added
CPE		cpe:2.3:a:oracle:insurance_policy_administration_j2ee:::::::: cpe:2.3:a:oracle:insurance_rules_palette:10.2.0:::::::* cpe:2.3:a:oracle:insurance_rules_palette:10.2.4:::::::* cpe:2.3:a:oracle:insurance_policy_administration_j2ee:11.0.2:::::::* cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.2.0:::::::* cpe:2.3:a:oracle:insurance_rules_palette:::::::: cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.2.4:::::::* cpe:2.3:a:oracle:insurance_rules_palette:11.0.2:::::::*
References	~~(MISC) https://www.oracle.com/security-alerts/cpujan2022.html -~~	(MISC) https://www.oracle.com/security-alerts/cpujan2022.html - Third Party Advisory

07 Feb 2022, 16:15

Type	Values Removed	Values Added
References		(MISC) https://www.oracle.com/security-alerts/cpujan2022.html -

10 Dec 2021, 17:11

Type	Values Removed	Values Added
References	~~(MISC) https://www.oracle.com/security-alerts/cpuoct2021.html -~~	(MISC) https://www.oracle.com/security-alerts/cpuoct2021.html - Patch, Third Party Advisory
CPE		cpe:2.3:a:oracle:flexcube_core_banking:11.8.0:::::::* cpe:2.3:a:oracle:flexcube_core_banking:11.7.0:::::::* cpe:2.3:a:oracle:flexcube_core_banking:11.9.0:::::::* cpe:2.3:a:oracle:flexcube_core_banking:11.10.0:::::::* cpe:2.3:a:oracle:documaker::::::::

20 Oct 2021, 11:15

Type	Values Removed	Values Added
References		(MISC) https://www.oracle.com/security-alerts/cpuoct2021.html -

17 Sep 2021, 12:05

Type	Values Removed	Values Added
CPE	cpe:2.3:a:apache:freemarker:2.3.31:::::::*

14 Sep 2021, 14:04

Type	Values Removed	Values Added
CPE		cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:::::::* cpe:2.3:a:oracle:health_sciences_empirica_signal:9.0:::::::* cpe:2.3:a:oracle:utilities_framework:2.2.0.0.0:::::::* cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.2.0:::::::* cpe:2.3:a:oracle:agile_plm:9.3.3:::::::* cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:::::::* cpe:2.3:a:oracle:retail_order_broker:19.0:::::::* cpe:2.3:a:oracle:data_integrator:12.2.1.3.0:::::::* cpe:2.3:a:oracle:utilities_framework:4.2.0.3.0:::::::* cpe:2.3:a:oracle:retail_order_broker:19.1:::::::* cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:::::::* cpe:2.3:a:oracle:retail_price_management:14.0.3:::::::* cpe:2.3:a:oracle:banking_platform:::::::: cpe:2.3:a:oracle:retail_price_management:14.1.3.0:::::::* cpe:2.3:a:oracle:webcenter_portal:11.1.1.9.0:::::::* cpe:2.3:a:oracle:utilities_framework:::::::: cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:::::::* cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:17.0:::::::* cpe:2.3:a:oracle:fusion_middleware:12.2.1.4.0:::::::* cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:::::::* cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:::::::* cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:::::::* cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:::::::* cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:::::::* cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:18.0:::::::* cpe:2.3:a:oracle:data_integrator:12.2.1.4.0:::::::* cpe:2.3:a:oracle:retail_order_broker:16.0:::::::* cpe:2.3:a:oracle:retail_order_broker:18.0:::::::* cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.0:::::::* cpe:2.3:a:oracle:agile_plm:9.3.5:::::::* cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:::::::* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:::::::: cpe:2.3:o:canonical:ubuntu_linux:16.04::::esm::: cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:::::::* cpe:2.3:a:oracle:retail_price_management:16.0.3.0:::::::* cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:::::::* cpe:2.3:a:oracle:enterprise_data_quality:12.2.1.3.0:::::::* cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:::::::* cpe:2.3:a:oracle:communications_application_session_controller:3.9m0p1:::::::* cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:16.0:::::::* cpe:2.3:a:oracle:enterprise_data_quality:11.1.1.9.0:::::::* cpe:2.3:a:oracle:retail_price_management:15.0.3.0:::::::* cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3:::::::* cpe:2.3:a:oracle:utilities_framework:4.2.0.2.0:::::::* cpe:2.3:a:oracle:retail_order_broker:15.0:::::::* cpe:2.3:a:apache:freemarker:2.3.31:::::::* cpe:2.3:a:oracle:communications_diameter_signaling_router:::::::: cpe:2.3:a:oracle:health_sciences_information_manager:3.0.1:::::::* cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0.4:::::::* cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:::::::*
References	~~(MISC) https://www.oracle.com/security-alerts/cpuApr2021.html -~~	(MISC) https://www.oracle.com/security-alerts/cpuApr2021.html - Patch, Third Party Advisory
References	~~(MISC) https://www.oracle.com/security-alerts/cpuoct2020.html -~~	(MISC) https://www.oracle.com/security-alerts/cpuoct2020.html - Patch, Third Party Advisory
References	~~(MISC) https://www.oracle.com/security-alerts/cpujan2021.html -~~	(MISC) https://www.oracle.com/security-alerts/cpujan2021.html - Patch, Third Party Advisory
References	~~(N/A) https://www.oracle.com//security-alerts/cpujul2021.html -~~	(N/A) https://www.oracle.com//security-alerts/cpujul2021.html - Patch, Third Party Advisory
References	~~(MLIST) https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51@%3Cnotifications.freemarker.apache.org%3E -~~	(MLIST) https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51@%3Cnotifications.freemarker.apache.org%3E - Mailing List, Third Party Advisory
References	~~(MLIST) https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8@%3Cdev.velocity.apache.org%3E -~~	(MLIST) https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8@%3Cdev.velocity.apache.org%3E - Mailing List, Third Party Advisory
References	~~(MLIST) https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32@%3Cdev.velocity.apache.org%3E -~~	(MLIST) https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32@%3Cdev.velocity.apache.org%3E - Mailing List, Third Party Advisory
References	~~(UBUNTU) https://usn.ubuntu.com/4575-1/ -~~	(UBUNTU) https://usn.ubuntu.com/4575-1/ - Third Party Advisory

07 Sep 2021, 06:15

Type	Values Removed	Values Added
References		(MLIST) https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51@%3Cnotifications.freemarker.apache.org%3E - (N/A) https://www.oracle.com//security-alerts/cpujul2021.html -

14 Jun 2021, 18:15

Type	Values Removed	Values Added
References		(MISC) https://www.oracle.com/security-alerts/cpuApr2021.html -

Information

Published : 2020-05-01 19:15

Updated : 2024-02-04 21:00

NVD link : CVE-2020-10683

Mitre link : CVE-2020-10683

CVE.ORG link : CVE-2020-10683

JSON object : View

Products Affected

oracle

storagetek_tape_analytics_sw_tool
banking_platform
enterprise_data_quality
health_sciences_empirica_signal
webcenter_portal
insurance_rules_palette
retail_order_broker
fusion_middleware
flexcube_core_banking
retail_xstore_point_of_service
communications_application_session_controller
communications_unified_inventory_management
agile_plm
rapid_planning
enterprise_manager_base_platform
jdeveloper
documaker
application_testing_suite
financial_services_analytical_applications_infrastructure
insurance_policy_administration_j2ee
retail_customer_management_and_segmentation_foundation
retail_integration_bus
data_integrator
primavera_p6_enterprise_project_portfolio_management
utilities_framework
health_sciences_information_manager
business_process_management_suite
retail_price_management
endeca_information_discovery_integrator
communications_diameter_signaling_router

netapp

snap_creator_framework
snapmanager
snapcenter
oncommand_api_services
oncommand_workflow_automation

dom4j_project

dom4j

canonical

ubuntu_linux

opensuse

leap

CWE

CWE-611

Improper Restriction of XML External Entity Reference

9.8 /10