CVE-2018-1000632 — HIGH (7.5)

Q: How severe is CVE-2018-1000632?

CVE-2018-1000632 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-1000632?

Check the references section above for vendor advisories and patch information. Affected products include: Dom4J Project Dom4J, Debian Debian Linux, Oracle Flexcube Investor Servicing, Oracle Primavera P6 Enterprise Project Portfolio Management, Oracle Rapid Planning.

Vulnerability Description

dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Dom4J Project	Dom4J	>= 2.0.0, < 2.0.3
Debian	Debian Linux	8.0
Oracle	Flexcube Investor Servicing	12.0.4
Oracle	Primavera P6 Enterprise Project Portfolio Management	>= 16.1.0.0, <= 16.2.20.1
Oracle	Rapid Planning	12.1
Oracle	Retail Integration Bus	15.0
Oracle	Utilities Framework	>= 4.3.0.2.0, <= 4.3.0.6.0
Redhat	Satellite	6.6
Redhat	Satellite Capsule	6.6
Redhat	Jboss Enterprise Application Platform	6.0.0
Redhat	Enterprise Linux	6.0
Netapp	Oncommand Workflow Automation	-
Netapp	Snap Creator Framework	-
Netapp	Snapcenter	-
Netapp	Snapmanager	-

Related Weaknesses (CWE)

CWE-91

References

https://access.redhat.com/errata/RHSA-2019:0362Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0364Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0365Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0380Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1159Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1160Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1161Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1162Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3172Third Party Advisory
https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387PatchThird Party Advisory
https://github.com/dom4j/dom4j/issues/48Third Party Advisory
https://ihacktoprotect.com/post/dom4j-xml-injection/ExploitThird Party Advisory
https://lists.apache.org/thread.html/00571f362a7a2470fba50a31282c65637c40d2e21eb
https://lists.apache.org/thread.html/4a77652531d62299a30815cf5f233af183425db8e3c
https://lists.apache.org/thread.html/5a020ecaa3c701f408f612f7ba2ee37a021644c4a39

FAQ

What is CVE-2018-1000632?

CVE-2018-1000632 is a vulnerability with a CVSS score of 7.5 (HIGH). dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents thr...

How severe is CVE-2018-1000632?

CVE-2018-1000632 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-1000632?

Check the references section above for vendor advisories and patch information. Affected products include: Dom4J Project Dom4J, Debian Debian Linux, Oracle Flexcube Investor Servicing, Oracle Primavera P6 Enterprise Project Portfolio Management, Oracle Rapid Planning.