Vulnerabilities > CVE-2020-10683 - XXE vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family SuSE Local Security Checks NASL id OPENSUSE-2020-719.NASL description This update for dom4j fixes the following issues : - CVE-2020-10683: Fixed an XML External Entity vulnerability in default SAX parser (bsc#1169760). This update was imported from the SUSE:SLE-15:Update update project. last seen 2020-06-06 modified 2020-05-29 plugin id 136960 published 2020-05-29 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136960 title openSUSE Security Update : dom4j (openSUSE-2020-719) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1596.NASL description According to the version of the dom4j package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - dom4j before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.(CVE-2020-10683) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-06 modified 2020-06-02 plugin id 137014 published 2020-06-02 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/137014 title EulerOS 2.0 SP5 : dom4j (EulerOS-SA-2020-1596) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-2191.NASL description A flaw was found in dom4j library. By using the default SaxReader() provided by Dom4J, external DTDs and External Entities are allowed, resulting in a possible XXE. For Debian 8 last seen 2020-05-12 modified 2020-05-01 plugin id 136201 published 2020-05-01 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136201 title Debian DLA-2191-1 : dom4j security update
References
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1694235
- https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
- https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658
- https://github.com/dom4j/dom4j/commits/version-2.0.3
- https://github.com/dom4j/dom4j/issues/87
- https://github.com/dom4j/dom4j/releases/tag/version-2.1.3
- https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8%40%3Cdev.velocity.apache.org%3E
- https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32%40%3Cdev.velocity.apache.org%3E
- https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51%40%3Cnotifications.freemarker.apache.org%3E
- https://security.netapp.com/advisory/ntap-20200518-0002/
- https://usn.ubuntu.com/4575-1/
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://usn.ubuntu.com/4575-1/
- https://security.netapp.com/advisory/ntap-20200518-0002/
- https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51%40%3Cnotifications.freemarker.apache.org%3E
- https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32%40%3Cdev.velocity.apache.org%3E
- https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8%40%3Cdev.velocity.apache.org%3E
- https://github.com/dom4j/dom4j/releases/tag/version-2.1.3
- https://github.com/dom4j/dom4j/issues/87
- https://github.com/dom4j/dom4j/commits/version-2.0.3
- https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658
- https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1694235