CVE-2020-10683 – org.dom4j:dom4j

Package

Manager: maven
Name: org.dom4j:dom4j
Vulnerable Version: >=2.0.0 <2.0.3 || >=2.1.0 <2.1.3

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.02443 pctl0.84597

Details

dom4j allows External Entities by default which might enable XXE attacks dom4j before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j. Note: This advisory applies to `dom4j:dom4j` version 1.x legacy artifacts. To resolve this a change to the latest version of `org.dom4j:dom4j` is recommended.

Metadata

Created: 2020-06-05T16:13:36Z
Modified: 2022-02-08T22:06:12Z
Source: MANUAL
CWE IDs: ["CWE-611"]
Alternative ID: GHSA-hwj3-m3p6-hj38
Finding: F083
Auto approve: 1