GHSA-hwj3-m3p6-hj38

Source

https://github.com/advisories/GHSA-hwj3-m3p6-hj38

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-hwj3-m3p6-hj38/GHSA-hwj3-m3p6-hj38.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-hwj3-m3p6-hj38

Aliases

CVE-2020-10683

Published

2020-06-05T16:13:36Z

Modified

2024-03-08T05:17:29.315551Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

dom4j allows External Entities by default which might enable XXE attacks

Details

dom4j before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.

Note: This advisory applies to dom4j:dom4j version 1.x legacy artifacts. To resolve this a change to the latest version of org.dom4j:dom4j is recommended.

References

Affected packages

Maven / org.dom4j:dom4j

Package

Name: org.dom4j:dom4j; View open source insights on deps.dev
Purl: pkg:maven/org.dom4j/dom4j

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.0.3

Affected versions

2.*

2.0.0-RC1

2.0.0

2.0.1

2.0.2

Maven / org.dom4j:dom4j

Package

Name: org.dom4j:dom4j; View open source insights on deps.dev
Purl: pkg:maven/org.dom4j/dom4j

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.1.0

Fixed

2.1.3

Affected versions

2.*

2.1.0

2.1.1

Maven / dom4j:dom4j

Package

Name: dom4j:dom4j; View open source insights on deps.dev
Purl: pkg:maven/dom4j/dom4j

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

1.6.1

Affected versions

1.*

1.1

1.3

1.4

1.4-dev-2

1.4-dev-3

1.4-dev-4

1.4-dev-5

1.4-dev-6

1.4-dev-7

1.4-dev-8

1.5-beta-2

1.5-rc1

1.5

1.5.1

1.5.2

1.6

1.6.1