CVE-2020-10683

Description

dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.

CVSS Metrics

• v3.1•CRITICAL•Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
• v2.0•HIGH•Score: 7.5AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 6.96%• Percentile: 92%

Techniques & Countermeasures

• CWE-611•Improper Restriction of XML External Entity Reference

  The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Affected Systems

• canonical•ubuntu_linux

  16.04

• dom4j_project•dom4j

  < 2.0.3 | ≥ 2.1.0, < 2.1.3

• dom4j•dom4j

  ≤ 1.6.1

• org.dom4j•dom4j

  < 2.0.3 | ≥ 2.1.0, < 2.1.3

• netapp•oncommand_api_services

  na

• netapp•oncommand_workflow_automation

  na

• netapp•snap_creator_framework

  na

• netapp•snapcenter

  na

• netapp•snapmanager

  na

• opensuse•leap

  15.1

• oracle•agile_plm

  9.3.3 | 9.3.5

• oracle•application_testing_suite

  13.3.0.1

• oracle•banking_platform

  ≥ 2.4.0, ≤ 2.10.0

• oracle•business_process_management_suite

  12.2.1.3.0 | 12.2.1.4.0

• oracle•communications_application_session_controller

  3.9m0p1

• oracle•communications_diameter_signaling_router

  ≥ 8.0.0, ≤ 8.2.2

• oracle•communications_unified_inventory_management

  7.3.0 | 7.4.0

• oracle•data_integrator

  12.2.1.3.0 | 12.2.1.4.0

• oracle•documaker

  ≥ 12.6.0, ≤ 12.6.4

• oracle•endeca_information_discovery_integrator

  3.2.0

• oracle•enterprise_data_quality

  11.1.1.9.0 | 12.2.1.3.0

• oracle•enterprise_manager_base_platform

  13.4.0.0

• oracle•financial_services_analytical_applications_infrastructure

  ≥ 8.0.6, ≤ 8.1.0

• oracle•flexcube_core_banking

  11.7.0 | 11.8.0 | 11.9.0 | 11.10.0

• Unknown•Fusion Middleware

  12.2.1.4.0

• oracle•health_sciences_empirica_signal

  9.0

• oracle•health_sciences_information_manager

  3.0.1

• oracle•insurance_policy_administration_j2ee

  ≥ 11.1.0, ≤ 11.3.0 | 10.2.0 | 10.2.4 | 11.0.2

• oracle•insurance_rules_palette

  ≥ 11.1.0, ≤ 11.3.0 | 10.2.0 | 10.2.4 | 11.0.2

• oracle•jdeveloper

  12.2.1.4.0

• oracle•primavera_p6_enterprise_project_portfolio_management

  ≥ 16.1.0.0, ≤ 16.2.20.1 | ≥ 17.1.0.0, ≤ 17.12.17.1 | ≥ 18.1.0.0, ≤ 18.8.19.0 | ≥ 19.12.0.0, ≤ 19.12.6.0

• oracle•rapid_planning

  12.1 | 12.2

• oracle•retail_customer_management_and_segmentation_foundation

  16.0 | 17.0 | 18.0 | 19.0

• oracle•retail_integration_bus

  15.0 | 16.0

• oracle•retail_order_broker

  15.0 | 16.0 | 18.0 | 19.0 | 19.1

• oracle•retail_price_management

  14.0.3 | 14.1.3.0 | 15.0.3.0 | 16.0.3.0

• oracle•retail_xstore_point_of_service

  15.0.4 | 16.0.6 | 17.0.4 | 18.0.3

• oracle•storagetek_tape_analytics_sw_tool

  2.3

• oracle•utilities_framework

  ≥ 4.3.0.1.0, ≤ 4.3.0.6.0 | 2.2.0.0.0 | 4.2.0.2.0 | 4.2.0.3.0 | 4.4.0.0.0 | 4.4.0.2.0

• oracle•webcenter_portal

  11.1.1.9.0 | 12.2.1.3.0 | 12.2.1.4.0

References (28)

• http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html
• https://www.oracle.com/security-alerts/cpujul2020.html
• https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
• https://bugzilla.redhat.com/show_bug.cgi?id=1694235
• https://github.com/dom4j/dom4j/releases/tag/version-2.1.3
• https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658
• https://security.netapp.com/advisory/ntap-20200518-0002/
• https://usn.ubuntu.com/4575-1/
• https://www.oracle.com/security-alerts/cpuoct2020.html
• https://github.com/dom4j/dom4j/issues/87
• https://github.com/dom4j/dom4j/commits/version-2.0.3
• https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8%40%3Cdev.velocity.apache.org%3E
• https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32%40%3Cdev.velocity.apache.org%3E
• https://www.oracle.com/security-alerts/cpujan2021.html
• https://www.oracle.com/security-alerts/cpuApr2021.html
• https://www.oracle.com//security-alerts/cpujul2021.html
• https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51%40%3Cnotifications.freemarker.apache.org%3E
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://www.oracle.com/security-alerts/cpujan2022.html
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://nvd.nist.gov/vuln/detail/CVE-2020-10683
• https://github.com/dom4j/dom4j/commit/1707bf3d898a8ada3b213acb0e3b38f16eaae73d
• https://usn.ubuntu.com/4575-1
• https://security.netapp.com/advisory/ntap-20200518-0002
• https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51@%3Cnotifications.freemarker.apache.org%3E
• https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32@%3Cdev.velocity.apache.org%3E
• https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8@%3Cdev.velocity.apache.org%3E
• https://github.com/dom4j/dom4j