CVE-2018-1000632

Source
https://cve.org/CVERecord?id=CVE-2018-1000632
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-1000632.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2018-1000632
Aliases
Downstream
Related
Published
2018-08-20T19:31:31.230Z
Modified
2026-07-09T01:44:08.023940Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.

Database specific
{
    "unresolved_ranges": [
        {
            "cpes": [
                "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*"
            ],
            "extracted_events": [
                {
                    "introduced": "16.1.0.0"
                },
                {
                    "last_affected": "16.2.20.1"
                },
                {
                    "introduced": "17.1.0.0"
                },
                {
                    "last_affected": "17.12.17.1"
                },
                {
                    "introduced": "18.1.0.0"
                },
                {
                    "last_affected": "18.8.19.0"
                },
                {
                    "introduced": "19.12.0.0"
                },
                {
                    "last_affected": "19.12.6.0"
                }
            ],
            "source": "CPE_RANGE",
            "vendor_product": "oracle:primavera_p6_enterprise_project_portfolio_management"
        },
        {
            "cpes": [
                "cpe:2.3:a:oracle:utilities_framework:*:*:*:*:*:*:*:*"
            ],
            "extracted_events": [
                {
                    "introduced": "4.3.0.2.0"
                },
                {
                    "last_affected": "4.3.0.6.0"
                }
            ],
            "source": "CPE_RANGE",
            "vendor_product": "oracle:utilities_framework"
        },
        {
            "cpes": [
                "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"
            ],
            "extracted_events": [
                {
                    "introduced": "8.0"
                },
                {
                    "last_affected": "8.0"
                }
            ],
            "source": "CPE_STRING",
            "vendor_product": "debian:debian_linux"
        },
        {
            "cpes": [
                "cpe:2.3:a:oracle:flexcube_investor_servicing:12.0.4:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:flexcube_investor_servicing:12.1.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:flexcube_investor_servicing:12.3.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:flexcube_investor_servicing:12.4.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:flexcube_investor_servicing:14.0.0:*:*:*:*:*:*:*"
            ],
            "extracted_events": [
                {
                    "introduced": "12.0.4"
                },
                {
                    "last_affected": "12.0.4"
                },
                {
                    "introduced": "12.1.0"
                },
                {
                    "last_affected": "12.1.0"
                },
                {
                    "introduced": "12.3.0"
                },
                {
                    "last_affected": "12.3.0"
                },
                {
                    "introduced": "12.4.0"
                },
                {
                    "last_affected": "12.4.0"
                },
                {
                    "introduced": "14.0.0"
                },
                {
                    "last_affected": "14.0.0"
                }
            ],
            "source": "CPE_STRING",
            "vendor_product": "oracle:flexcube_investor_servicing"
        },
        {
            "cpes": [
                "cpe:2.3:a:oracle:rapid_planning:12.1:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:rapid_planning:12.2:*:*:*:*:*:*:*"
            ],
            "extracted_events": [
                {
                    "introduced": "12.1"
                },
                {
                    "last_affected": "12.1"
                },
                {
                    "introduced": "12.2"
                },
                {
                    "last_affected": "12.2"
                }
            ],
            "source": "CPE_STRING",
            "vendor_product": "oracle:rapid_planning"
        },
        {
            "cpes": [
                "cpe:2.3:a:oracle:retail_integration_bus:15.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:retail_integration_bus:16.0:*:*:*:*:*:*:*"
            ],
            "extracted_events": [
                {
                    "introduced": "15.0"
                },
                {
                    "last_affected": "15.0"
                },
                {
                    "introduced": "16.0"
                },
                {
                    "last_affected": "16.0"
                }
            ],
            "source": "CPE_STRING",
            "vendor_product": "oracle:retail_integration_bus"
        },
        {
            "cpes": [
                "cpe:2.3:a:oracle:utilities_framework:2.2.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:utilities_framework:4.2.0.2.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:utilities_framework:4.2.0.3.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:utilities_framework:4.4.0.2:*:*:*:*:*:*:*"
            ],
            "extracted_events": [
                {
                    "introduced": "2.2.0"
                },
                {
                    "last_affected": "2.2.0"
                },
                {
                    "introduced": "4.2.0.2.0"
                },
                {
                    "last_affected": "4.2.0.2.0"
                },
                {
                    "introduced": "4.2.0.3.0"
                },
                {
                    "last_affected": "4.2.0.3.0"
                },
                {
                    "introduced": "4.4.0.0.0"
                },
                {
                    "last_affected": "4.4.0.0.0"
                },
                {
                    "introduced": "4.4.0.2"
                },
                {
                    "last_affected": "4.4.0.2"
                }
            ],
            "source": "CPE_STRING",
            "vendor_product": "oracle:utilities_framework"
        },
        {
            "cpes": [
                "cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.4.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.1.0:*:*:*:*:*:*:*"
            ],
            "extracted_events": [
                {
                    "introduced": "6.0.0"
                },
                {
                    "last_affected": "6.0.0"
                },
                {
                    "introduced": "6.4.0"
                },
                {
                    "last_affected": "6.4.0"
                },
                {
                    "introduced": "7.1.0"
                },
                {
                    "last_affected": "7.1.0"
                },
                {
                    "introduced": "6.0.0"
                },
                {
                    "last_affected": "6.0.0"
                },
                {
                    "introduced": "6.4.0"
                },
                {
                    "last_affected": "6.4.0"
                }
            ],
            "source": "CPE_STRING",
            "vendor_product": "redhat:jboss_enterprise_application_platform"
        },
        {
            "cpes": [
                "cpe:2.3:a:redhat:satellite:6.6:*:*:*:*:*:*:*"
            ],
            "extracted_events": [
                {
                    "introduced": "6.6"
                },
                {
                    "last_affected": "6.6"
                }
            ],
            "source": "CPE_STRING",
            "vendor_product": "redhat:satellite"
        },
        {
            "cpes": [
                "cpe:2.3:a:redhat:satellite_capsule:6.6:*:*:*:*:*:*:*"
            ],
            "extracted_events": [
                {
                    "introduced": "6.6"
                },
                {
                    "last_affected": "6.6"
                }
            ],
            "source": "CPE_STRING",
            "vendor_product": "redhat:satellite_capsule"
        }
    ]
}
References

Affected packages

Git / github.com/dom4j/dom4j

Affected ranges

Type
GIT
Repo
https://github.com/dom4j/dom4j
Events
Database specific
{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:dom4j_project:dom4j:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "2.0.3"
        },
        {
            "introduced": "2.1.0"
        },
        {
            "fixed": "2.1.1"
        }
    ]
}

Affected versions

v2.*
v2.0.0
version-2.*
version-2.0.0
version-2.0.1
version-2.0.2
version-2.1.0

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-1000632.json"
vanir_signatures_modified
"2026-07-09T01:44:08Z"
vanir_signatures
[
    {
        "signature_version": "v1",
        "source": "https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387",
        "signature_type": "Function",
        "id": "CVE-2018-1000632-35488c68",
        "digest": {
            "length": 327.0,
            "function_hash": "199325550788090166794109819653578629307"
        },
        "deprecated": false,
        "target": {
            "function": "get",
            "file": "src/main/java/org/dom4j/tree/QNameCache.java"
        }
    },
    {
        "signature_version": "v1",
        "source": "https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387",
        "signature_type": "Line",
        "id": "CVE-2018-1000632-3bd6d515",
        "digest": {
            "line_hashes": [
                "314198188812661398941202424502439283026",
                "82741579659803731321705998136504987739",
                "151797185316034688866896672041363997013",
                "199636037147929886189862213997516158628"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "target": {
            "file": "src/main/java/org/dom4j/Namespace.java"
        }
    },
    {
        "signature_version": "v1",
        "source": "https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387",
        "signature_type": "Line",
        "id": "CVE-2018-1000632-4648bb49",
        "digest": {
            "line_hashes": [
                "147422418505375895194094920885579697205",
                "168608690976820459163785128903439418592",
                "285563659170242935906162937712434995479",
                "267323759805984201773350446167363660338"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "target": {
            "file": "src/main/java/org/dom4j/tree/QNameCache.java"
        }
    },
    {
        "signature_version": "v1",
        "source": "https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387",
        "signature_type": "Function",
        "id": "CVE-2018-1000632-4d9be67a",
        "digest": {
            "length": 193.0,
            "function_hash": "275065499305021125980377239777979989974"
        },
        "deprecated": false,
        "target": {
            "function": "QName",
            "file": "src/main/java/org/dom4j/QName.java"
        }
    },
    {
        "signature_version": "v1",
        "source": "https://github.com/dom4j/dom4j/commit/b408f43b5abc0b0f408819e620bd69e72248352f",
        "signature_type": "Function",
        "id": "CVE-2018-1000632-8fda56a5",
        "digest": {
            "length": 1013.0,
            "function_hash": "222350788314292880775679495024051012376"
        },
        "deprecated": false,
        "target": {
            "function": "escapeElementEntities",
            "file": "src/main/java/org/dom4j/io/XMLWriter.java"
        }
    },
    {
        "signature_version": "v1",
        "source": "https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387",
        "signature_type": "Function",
        "id": "CVE-2018-1000632-91a793ae",
        "digest": {
            "length": 156.0,
            "function_hash": "50164286232166251017957768309715539050"
        },
        "deprecated": false,
        "target": {
            "function": "QName",
            "file": "src/main/java/org/dom4j/QName.java"
        }
    },
    {
        "signature_version": "v1",
        "source": "https://github.com/dom4j/dom4j/commit/b408f43b5abc0b0f408819e620bd69e72248352f",
        "signature_type": "Line",
        "id": "CVE-2018-1000632-b4384177",
        "digest": {
            "line_hashes": [
                "236725648184904110617248220882872560481",
                "223933174473266758575948796598846298948",
                "123995894774033409981594757100304515585",
                "277477800638228186424227467503674312602"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "target": {
            "file": "src/main/java/org/dom4j/io/XMLWriter.java"
        }
    },
    {
        "signature_version": "v1",
        "source": "https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387",
        "signature_type": "Line",
        "id": "CVE-2018-1000632-b4519614",
        "digest": {
            "line_hashes": [
                "159068995644970077640297364713887969558",
                "80789274561771364052924301408417159154",
                "151816500673044903496109026899881602596",
                "59332901774669520718939558736875745473",
                "280096135076175038850825573070871643726",
                "214913607474329058805161896514755869583",
                "42351094760623045212581057695845210285",
                "168930601465629580222610550953789028778",
                "91625039504964879982004240932877008270",
                "235041418355810679284335301429235532350",
                "30821750415135255648048159171374174012",
                "85346269660141706510647755255497829709",
                "113698993995322993817647003012983568741",
                "255488862362652146981607753092155544836",
                "290124909029656121859884563217930534750",
                "261387688273661779705760898402365817095",
                "109320987176496713575563761446899179581",
                "257960915943106047139086468834030106362"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "target": {
            "file": "src/main/java/org/dom4j/QName.java"
        }
    },
    {
        "signature_version": "v1",
        "source": "https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387",
        "signature_type": "Function",
        "id": "CVE-2018-1000632-c731c98f",
        "digest": {
            "length": 138.0,
            "function_hash": "206188708269763143262114288589286603567"
        },
        "deprecated": false,
        "target": {
            "function": "Namespace",
            "file": "src/main/java/org/dom4j/Namespace.java"
        }
    }
]