dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
Configuration 5 (hide)
|
History
21 Nov 2024, 04:55
Type | Values Removed | Values Added |
---|---|---|
References | () http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html - Third Party Advisory | |
References | () https://bugzilla.redhat.com/show_bug.cgi?id=1694235 - Issue Tracking, Patch, Third Party Advisory | |
References | () https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html - Third Party Advisory | |
References | () https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658 - Patch, Third Party Advisory | |
References | () https://github.com/dom4j/dom4j/commits/version-2.0.3 - Patch, Third Party Advisory | |
References | () https://github.com/dom4j/dom4j/issues/87 - Third Party Advisory | |
References | () https://github.com/dom4j/dom4j/releases/tag/version-2.1.3 - Release Notes, Third Party Advisory | |
References | () https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8%40%3Cdev.velocity.apache.org%3E - | |
References | () https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32%40%3Cdev.velocity.apache.org%3E - | |
References | () https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51%40%3Cnotifications.freemarker.apache.org%3E - | |
References | () https://security.netapp.com/advisory/ntap-20200518-0002/ - Third Party Advisory | |
References | () https://usn.ubuntu.com/4575-1/ - Third Party Advisory | |
References | () https://www.oracle.com//security-alerts/cpujul2021.html - Patch, Third Party Advisory | |
References | () https://www.oracle.com/security-alerts/cpuApr2021.html - Patch, Third Party Advisory | |
References | () https://www.oracle.com/security-alerts/cpujan2021.html - Patch, Third Party Advisory | |
References | () https://www.oracle.com/security-alerts/cpujan2022.html - Third Party Advisory | |
References | () https://www.oracle.com/security-alerts/cpujul2020.html - Third Party Advisory | |
References | () https://www.oracle.com/security-alerts/cpujul2022.html - | |
References | () https://www.oracle.com/security-alerts/cpuoct2020.html - Patch, Third Party Advisory | |
References | () https://www.oracle.com/security-alerts/cpuoct2021.html - Patch, Third Party Advisory |
25 Jul 2022, 18:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
22 Feb 2022, 20:02
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:oracle:insurance_policy_administration_j2ee:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_rules_palette:10.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_rules_palette:10.2.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_policy_administration_j2ee:11.0.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_rules_palette:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.2.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:insurance_rules_palette:11.0.2:*:*:*:*:*:*:* |
|
References | (MISC) https://www.oracle.com/security-alerts/cpujan2022.html - Third Party Advisory |
07 Feb 2022, 16:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
10 Dec 2021, 17:11
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://www.oracle.com/security-alerts/cpuoct2021.html - Patch, Third Party Advisory | |
CPE | cpe:2.3:a:oracle:flexcube_core_banking:11.8.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:flexcube_core_banking:11.7.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:flexcube_core_banking:11.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:flexcube_core_banking:11.10.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:documaker:*:*:*:*:*:*:*:* |
20 Oct 2021, 11:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
17 Sep 2021, 12:05
Type | Values Removed | Values Added |
---|---|---|
CPE |
14 Sep 2021, 14:04
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:health_sciences_empirica_signal:9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_framework:2.2.0.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_order_broker:19.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:data_integrator:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_framework:4.2.0.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_order_broker:19.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_price_management:14.0.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_price_management:14.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:webcenter_portal:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_framework:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:17.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:fusion_middleware:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:18.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:data_integrator:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_order_broker:18.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:* cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_price_management:16.0.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_data_quality:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_application_session_controller:3.9m0p1:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:16.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_data_quality:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_price_management:15.0.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_framework:4.2.0.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:* cpe:2.3:a:apache:freemarker:2.3.31:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:health_sciences_information_manager:3.0.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:* |
|
References | (MISC) https://www.oracle.com/security-alerts/cpuApr2021.html - Patch, Third Party Advisory | |
References | (MISC) https://www.oracle.com/security-alerts/cpuoct2020.html - Patch, Third Party Advisory | |
References | (MISC) https://www.oracle.com/security-alerts/cpujan2021.html - Patch, Third Party Advisory | |
References | (N/A) https://www.oracle.com//security-alerts/cpujul2021.html - Patch, Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51@%3Cnotifications.freemarker.apache.org%3E - Mailing List, Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8@%3Cdev.velocity.apache.org%3E - Mailing List, Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32@%3Cdev.velocity.apache.org%3E - Mailing List, Third Party Advisory | |
References | (UBUNTU) https://usn.ubuntu.com/4575-1/ - Third Party Advisory |
07 Sep 2021, 06:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
14 Jun 2021, 18:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
Information
Published : 2020-05-01 19:15
Updated : 2024-11-21 04:55
NVD link : CVE-2020-10683
Mitre link : CVE-2020-10683
CVE.ORG link : CVE-2020-10683
JSON object : View
Products Affected
oracle
- retail_order_broker
- insurance_policy_administration_j2ee
- data_integrator
- business_process_management_suite
- application_testing_suite
- insurance_rules_palette
- communications_diameter_signaling_router
- health_sciences_empirica_signal
- utilities_framework
- fusion_middleware
- webcenter_portal
- retail_price_management
- financial_services_analytical_applications_infrastructure
- banking_platform
- enterprise_data_quality
- health_sciences_information_manager
- communications_unified_inventory_management
- communications_application_session_controller
- documaker
- primavera_p6_enterprise_project_portfolio_management
- retail_integration_bus
- enterprise_manager_base_platform
- flexcube_core_banking
- endeca_information_discovery_integrator
- jdeveloper
- rapid_planning
- storagetek_tape_analytics_sw_tool
- retail_customer_management_and_segmentation_foundation
- retail_xstore_point_of_service
- agile_plm
netapp
- snap_creator_framework
- snapmanager
- oncommand_workflow_automation
- snapcenter
- oncommand_api_services
canonical
- ubuntu_linux
dom4j_project
- dom4j
opensuse
- leap
CWE
CWE-611
Improper Restriction of XML External Entity Reference