Vulnerability Description
dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Dom4J Project | Dom4J | < 2.0.3 |
| Oracle | Agile Plm | 9.3.3 |
| Oracle | Application Testing Suite | 13.3.0.1 |
| Oracle | Banking Platform | >= 2.4.0, <= 2.10.0 |
| Oracle | Business Process Management Suite | 12.2.1.3.0 |
| Oracle | Communications Application Session Controller | 3.9m0p1 |
| Oracle | Communications Diameter Signaling Router | >= 8.0.0, <= 8.2.2 |
| Oracle | Communications Unified Inventory Management | 7.3.0 |
| Oracle | Data Integrator | 12.2.1.3.0 |
| Oracle | Documaker | >= 12.6.0, <= 12.6.4 |
| Oracle | Endeca Information Discovery Integrator | 3.2.0 |
| Oracle | Enterprise Data Quality | 11.1.1.9.0 |
| Oracle | Enterprise Manager Base Platform | 13.4.0.0 |
| Oracle | Financial Services Analytical Applications Infrastructure | >= 8.0.6, <= 8.1.0 |
| Oracle | Flexcube Core Banking | 11.7.0 |
| Oracle | Fusion Middleware | 12.2.1.4.0 |
| Oracle | Health Sciences Empirica Signal | 9.0 |
| Oracle | Health Sciences Information Manager | 3.0.1 |
| Oracle | Insurance Policy Administration J2Ee | >= 11.1.0, <= 11.3.0 |
| Oracle | Insurance Rules Palette | >= 11.1.0, <= 11.3.0 |
Related Weaknesses (CWE)
References
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.htmlThird Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1694235Issue TrackingPatchThird Party Advisory
- https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_ChThird Party Advisory
- https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658PatchThird Party Advisory
- https://github.com/dom4j/dom4j/commits/version-2.0.3PatchThird Party Advisory
- https://github.com/dom4j/dom4j/issues/87Third Party Advisory
- https://github.com/dom4j/dom4j/releases/tag/version-2.1.3Release NotesThird Party Advisory
- https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7a
- https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d56457227
- https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c978
- https://security.netapp.com/advisory/ntap-20200518-0002/Third Party Advisory
- https://usn.ubuntu.com/4575-1/Third Party Advisory
- https://www.oracle.com//security-alerts/cpujul2021.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpuApr2021.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2021.htmlPatchThird Party Advisory
FAQ
What is CVE-2020-10683?
CVE-2020-10683 is a vulnerability with a CVSS score of 9.8 (CRITICAL). dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how...
How severe is CVE-2020-10683?
CVE-2020-10683 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2020-10683?
Check the references section above for vendor advisories and patch information. Affected products include: Dom4J Project Dom4J, Oracle Agile Plm, Oracle Application Testing Suite, Oracle Banking Platform, Oracle Business Process Management Suite.