Description

dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.

Remediation

References

https://bugzilla.redhat.com/show_bug.cgi?id=1694235

https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658

https://github.com/dom4j/dom4j/releases/tag/version-2.1.3

https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html

https://security.netapp.com/advisory/ntap-20200518-0002/

http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html

https://www.oracle.com/security-alerts/cpujul2020.html

https://github.com/dom4j/dom4j/commits/version-2.0.3

https://github.com/dom4j/dom4j/issues/87

https://usn.ubuntu.com/4575-1/

https://www.oracle.com/security-alerts/cpuoct2020.html

https://www.oracle.com/security-alerts/cpujan2021.html

https://www.oracle.com/security-alerts/cpuApr2021.html

https://www.oracle.com//security-alerts/cpujul2021.html

https://www.oracle.com/security-alerts/cpuoct2021.html

https://www.oracle.com/security-alerts/cpujan2022.html

https://www.oracle.com/security-alerts/cpujul2022.html

https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8%40%3Cdev.velocity.apache.org%3E

https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32%40%3Cdev.velocity.apache.org%3E

https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51%40%3Cnotifications.freemarker.apache.org%3E

Related Vulnerabilities

CVE-2018-8088 Vulnerability in maven package org.slf4j:slf4j-ext

CVE-2014-3651 Vulnerability in maven package org.keycloak:keycloak-services

CVE-2023-3432 Vulnerability in maven package net.sourceforge.plantuml:plantuml

CVE-2022-24847 Vulnerability in maven package org.geoserver:gs-main

CVE-2021-35513 Vulnerability in maven package org.webjars.npm:mermaid

Severity

Critical

Classification

CWE-611 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Issue Tracking Patch Third Party Advisory Release Notes