Vulnerabilities > CVE-2020-10683 - XXE vulnerability in multiple products

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
dom4j-project
oracle
opensuse
netapp
canonical
CWE-611
critical
nessus

Summary

dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.

Vulnerable Configurations

Part Description Count
Application
Dom4J_Project
20
Application
Oracle
160
Application
Netapp
6
OS
Opensuse
1
OS
Canonical
1

Nessus

  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2020-719.NASL
    descriptionThis update for dom4j fixes the following issues : - CVE-2020-10683: Fixed an XML External Entity vulnerability in default SAX parser (bsc#1169760). This update was imported from the SUSE:SLE-15:Update update project.
    last seen2020-06-06
    modified2020-05-29
    plugin id136960
    published2020-05-29
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136960
    titleopenSUSE Security Update : dom4j (openSUSE-2020-719)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1596.NASL
    descriptionAccording to the version of the dom4j package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - dom4j before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.(CVE-2020-10683) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-06
    modified2020-06-02
    plugin id137014
    published2020-06-02
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/137014
    titleEulerOS 2.0 SP5 : dom4j (EulerOS-SA-2020-1596)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-2191.NASL
    descriptionA flaw was found in dom4j library. By using the default SaxReader() provided by Dom4J, external DTDs and External Entities are allowed, resulting in a possible XXE. For Debian 8
    last seen2020-05-12
    modified2020-05-01
    plugin id136201
    published2020-05-01
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136201
    titleDebian DLA-2191-1 : dom4j security update

References