CVE-2020-10683

dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.
References
Link Resource
https://bugzilla.redhat.com/show_bug.cgi?id=1694235 Issue Tracking Patch Third Party Advisory
https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658 Patch Third Party Advisory
https://github.com/dom4j/dom4j/releases/tag/version-2.1.3 Release Notes Third Party Advisory
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html Third Party Advisory
https://security.netapp.com/advisory/ntap-20200518-0002/ Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html Third Party Advisory
https://github.com/dom4j/dom4j/commits/version-2.0.3 Patch Third Party Advisory
https://github.com/dom4j/dom4j/issues/87 Third Party Advisory
https://usn.ubuntu.com/4575-1/ Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html Patch Third Party Advisory
https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8@%3Cdev.velocity.apache.org%3E Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32@%3Cdev.velocity.apache.org%3E Mailing List Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html Patch Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html Patch Third Party Advisory
https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51@%3Cnotifications.freemarker.apache.org%3E Mailing List Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:dom4j_project:dom4j:*:*:*:*:*:*:*:*
cpe:2.3:a:dom4j_project:dom4j:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_application_session_controller:3.9m0p1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:data_integrator:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:data_integrator:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_data_quality:11.1.1.9.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_data_quality:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:fusion_middleware:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:health_sciences_empirica_signal:9.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:health_sciences_information_manager:3.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:rapid_planning:12.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:rapid_planning:12.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:16.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:17.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:18.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_integration_bus:15.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_integration_bus:16.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_order_broker:18.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_order_broker:19.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_order_broker:19.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_price_management:14.0.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_price_management:14.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_price_management:15.0.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_price_management:16.0.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:utilities_framework:2.2.0.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:utilities_framework:4.2.0.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:utilities_framework:4.2.0.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:utilities_framework:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_portal:11.1.1.9.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

Configuration 4 (hide)

OR cpe:2.3:a:netapp:oncommand_api_services:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:oracle:*:*
cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:sap:*:*

Configuration 5 (hide)

cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*

Information

Published : 2020-05-01 19:15

Updated : 2021-10-20 11:15


NVD link : CVE-2020-10683

Mitre link : CVE-2020-10683


JSON object : View

Products Affected

oracle

  • data_integrator
  • fusion_middleware
  • health_sciences_empirica_signal
  • rapid_planning
  • retail_order_broker
  • retail_price_management
  • primavera_p6_enterprise_project_portfolio_management
  • jdeveloper
  • communications_unified_inventory_management
  • retail_customer_management_and_segmentation_foundation
  • webcenter_portal
  • agile_plm
  • enterprise_manager_base_platform
  • communications_diameter_signaling_router
  • financial_services_analytical_applications_infrastructure
  • enterprise_data_quality
  • banking_platform
  • application_testing_suite
  • endeca_information_discovery_integrator
  • retail_xstore_point_of_service
  • communications_application_session_controller
  • utilities_framework
  • retail_integration_bus
  • health_sciences_information_manager
  • business_process_management_suite
  • storagetek_tape_analytics_sw_tool

netapp

  • oncommand_workflow_automation
  • snapmanager
  • oncommand_api_services
  • snapcenter
  • snap_creator_framework

dom4j_project

  • dom4j

opensuse

  • leap

canonical

  • ubuntu_linux
CWE
CWE-611

Improper Restriction of XML External Entity Reference