MidnightBSD

Advisories for dom4j_project

CVE-2018-1000632 MEDIUM

dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-91,

Products Affected

Vendor Product Version
redhat jboss_enterprise_application_platform 6.4.0
netapp oncommand_workflow_automation -
netapp snapcenter -
oracle utilities_framework 2.2.0
oracle utilities_framework *
netapp snapmanager -
dom4j_project dom4j *
oracle utilities_framework 4.4.0.0.0
oracle flexcube_investor_servicing 12.1.0
oracle utilities_framework 4.4.0.2
oracle utilities_framework 4.2.0.2.0
redhat jboss_enterprise_application_platform 6.0.0
redhat satellite 6.6
oracle utilities_framework 4.2.0.3.0
debian debian_linux 8.0
oracle rapid_planning 12.1
oracle flexcube_investor_servicing 12.0.4
oracle rapid_planning 12.2
oracle flexcube_investor_servicing 12.4.0
oracle retail_integration_bus 15.0
oracle retail_integration_bus 16.0
netapp snap_creator_framework -
oracle primavera_p6_enterprise_project_portfolio_management *
redhat jboss_enterprise_application_platform 7.1.0
oracle flexcube_investor_servicing 12.3.0
redhat satellite_capsule 6.6
oracle flexcube_investor_servicing 14.0.0
CVE-2020-10683 HIGH

dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-611,

Products Affected

Vendor Product Version
oracle retail_customer_management_and_segmentation_foundation 19.0
oracle enterprise_manager_base_platform 13.4.0.0
netapp oncommand_workflow_automation -
oracle retail_customer_management_and_segmentation_foundation 16.0
oracle endeca_information_discovery_integrator 3.2.0
netapp snapmanager -
oracle utilities_framework 4.4.0.0.0
oracle retail_order_broker 16.0
oracle health_sciences_information_manager 3.0.1
oracle retail_price_management 16.0.3.0
oracle retail_order_broker 15.0
oracle flexcube_core_banking 11.7.0
oracle agile_plm 9.3.3
oracle data_integrator 12.2.1.4.0
oracle retail_price_management 14.1.3.0
oracle rapid_planning 12.2
oracle flexcube_core_banking 11.9.0
netapp oncommand_api_services -
oracle utilities_framework 4.4.0.2.0
oracle webcenter_portal 12.2.1.4.0
oracle insurance_policy_administration_j2ee 10.2.4
oracle webcenter_portal 11.1.1.9.0
oracle insurance_rules_palette 11.0.2
oracle data_integrator 12.2.1.3.0
netapp snap_creator_framework -
oracle webcenter_portal 12.2.1.3.0
oracle business_process_management_suite 12.2.1.3.0
oracle financial_services_analytical_applications_infrastructure *
oracle fusion_middleware 12.2.1.4.0
oracle retail_price_management 15.0.3.0
oracle retail_xstore_point_of_service 16.0.6
oracle flexcube_core_banking 11.10.0
oracle agile_plm 9.3.5
oracle retail_price_management 14.0.3
oracle insurance_policy_administration_j2ee 10.2.0
oracle insurance_policy_administration_j2ee *
netapp snapcenter -
oracle documaker *
oracle communications_unified_inventory_management 7.4.0
oracle communications_unified_inventory_management 7.3.0
oracle business_process_management_suite 12.2.1.4.0
oracle utilities_framework *
dom4j_project dom4j *
canonical ubuntu_linux 16.04
oracle communications_diameter_signaling_router *
oracle retail_xstore_point_of_service 18.0.3
oracle health_sciences_empirica_signal 9.0
oracle retail_order_broker 19.0
oracle utilities_framework 2.2.0.0.0
oracle retail_xstore_point_of_service 15.0.4
oracle application_testing_suite 13.3.0.1
oracle banking_platform *
oracle utilities_framework 4.2.0.2.0
oracle insurance_rules_palette 10.2.4
oracle utilities_framework 4.2.0.3.0
oracle insurance_rules_palette 10.2.0
oracle jdeveloper 12.2.1.4.0
oracle retail_order_broker 18.0
oracle rapid_planning 12.1
oracle enterprise_data_quality 12.2.1.3.0
oracle retail_integration_bus 15.0
oracle retail_integration_bus 16.0
oracle retail_xstore_point_of_service 17.0.4
oracle enterprise_data_quality 11.1.1.9.0
oracle communications_application_session_controller 3.9m0p1
oracle retail_customer_management_and_segmentation_foundation 17.0
oracle storagetek_tape_analytics_sw_tool 2.3
oracle flexcube_core_banking 11.8.0
oracle primavera_p6_enterprise_project_portfolio_management *
oracle retail_order_broker 19.1
oracle insurance_policy_administration_j2ee 11.0.2
opensuse leap 15.1
oracle insurance_rules_palette *
oracle retail_customer_management_and_segmentation_foundation 18.0