CVE-2020-10683
- Source
- https://cve.org/CVERecord?id=CVE-2020-10683
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-10683.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2020-10683
- Aliases
- Downstream
- Related
- Published
- 2020-05-01T19:15:12.927Z
- Modified
- 2026-05-15T12:03:57.517244911Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.
- Database specific
{ "unresolved_ranges": [ { "source": "CPE_FIELD", "cpes": [ "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*" ], "vendor_product": "canonical:ubuntu_linux", "extracted_events": [ { "last_affected": "16.04" } ] }, { "source": "CPE_FIELD", "cpes": [ "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*" ], "vendor_product": "opensuse:leap", "extracted_events": [ { "last_affected": "15.1" } ] }, { "source": "CPE_FIELD", "cpes": [ "cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*" ], "vendor_product": "oracle:agile_plm", "extracted_events": [ { "last_affected": "9.3.3" }, { "last_affected": "9.3.5" } ] }, { "source": "CPE_FIELD", "cpes": [ "cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*" ], "vendor_product": "oracle:application_testing_suite", "extracted_events": [ { "last_affected": "13.3.0.1" } ] }, { "source": "CPE_FIELD", "cpes": [ "cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:*" ], "vendor_product": "oracle:banking_platform", "extracted_events": [ { "introduced": "2.4.0" }, { "last_affected": "2.10.0" } ] }, { "source": "CPE_FIELD", "cpes": [ "cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*" ], "vendor_product": "oracle:business_process_management_suite", "extracted_events": [ { "last_affected": "12.2.1.3.0" }, { "last_affected": "12.2.1.4.0" } ] }, { "source": "CPE_FIELD", "cpes": [ "cpe:2.3:a:oracle:communications_application_session_controller:3.9m0p1:*:*:*:*:*:*:*" ], "vendor_product": "oracle:communications_application_session_controller", "extracted_events": [ { "last_affected": "3.9m0p1" } ] }, { "source": "CPE_FIELD", "cpes": [ "cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*" ], "vendor_product": "oracle:communications_diameter_signaling_router", "extracted_events": [ { "introduced": "8.0.0" }, { "last_affected": "8.2.2" } ] }, { "source": "CPE_FIELD", "cpes": [ "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*" ], "vendor_product": "oracle:communications_unified_inventory_management", "extracted_events": [ { "last_affected": "7.3.0" }, { "last_affected": "7.4.0" } ] }, { "source": "CPE_FIELD", "cpes": [ "cpe:2.3:a:oracle:data_integrator:12.2.1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:data_integrator:12.2.1.4.0:*:*:*:*:*:*:*" ], "vendor_product": "oracle:data_integrator", "extracted_events": [ { "last_affected": "12.2.1.3.0" }, { "last_affected": "12.2.1.4.0" } ] }, { "source": "CPE_FIELD", "cpes": [ "cpe:2.3:a:oracle:documaker:*:*:*:*:*:*:*:*" ], "vendor_product": "oracle:documaker", "extracted_events": [ { "introduced": "12.6.0" }, { "last_affected": "12.6.4" } ] }, { "source": "CPE_FIELD", "cpes": [ "cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.2.0:*:*:*:*:*:*:*" ], "vendor_product": "oracle:endeca_information_discovery_integrator", "extracted_events": [ { "last_affected": "3.2.0" } ] }, { "source": "CPE_FIELD", "cpes": [ "cpe:2.3:a:oracle:enterprise_data_quality:11.1.1.9.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:enterprise_data_quality:12.2.1.3.0:*:*:*:*:*:*:*" ], "vendor_product": "oracle:enterprise_data_quality", "extracted_events": [ { "last_affected": "11.1.1.9.0" }, { "last_affected": "12.2.1.3.0" } ] }, { "source": "CPE_FIELD", "cpes": [ "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*" ], "vendor_product": "oracle:enterprise_manager_base_platform", "extracted_events": [ { "last_affected": "13.4.0.0" } ] }, { "source": "CPE_FIELD", "cpes": [ "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*" ], "vendor_product": "oracle:financial_services_analytical_applications_infrastructure", "extracted_events": [ { "introduced": "8.0.6" }, { "last_affected": "8.1.0" } ] }, { "source": "CPE_FIELD", "cpes": [ "cpe:2.3:a:oracle:flexcube_core_banking:11.10.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:flexcube_core_banking:11.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:flexcube_core_banking:11.8.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:flexcube_core_banking:11.9.0:*:*:*:*:*:*:*" ], "vendor_product": "oracle:flexcube_core_banking", "extracted_events": [ { "last_affected": "11.7.0" }, { "last_affected": "11.8.0" }, { "last_affected": "11.9.0" }, { "last_affected": "11.10.0" } ] }, { "source": "CPE_FIELD", "cpes": [ "cpe:2.3:a:oracle:fusion_middleware:12.2.1.4.0:*:*:*:*:*:*:*" ], "vendor_product": "oracle:fusion_middleware", "extracted_events": [ { "last_affected": "12.2.1.4.0" } ] }, { "source": "CPE_FIELD", "cpes": [ "cpe:2.3:a:oracle:health_sciences_empirica_signal:9.0:*:*:*:*:*:*:*" ], "vendor_product": "oracle:health_sciences_empirica_signal", "extracted_events": [ { "last_affected": "9.0" } ] }, { "source": "CPE_FIELD", "cpes": [ "cpe:2.3:a:oracle:health_sciences_information_manager:3.0.1:*:*:*:*:*:*:*" ], "vendor_product": "oracle:health_sciences_information_manager", "extracted_events": [ { "last_affected": "3.0.1" } ] }, { "source": "CPE_FIELD", "cpes": [ "cpe:2.3:a:oracle:insurance_policy_administration_j2ee:*:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_policy_administration_j2ee:11.0.2:*:*:*:*:*:*:*" ], "vendor_product": "oracle:insurance_policy_administration_j2ee", "extracted_events": [ { "introduced": "11.1.0" }, { "last_affected": "11.3.0" }, { "last_affected": "10.2.0" }, { "last_affected": "10.2.4" }, { "last_affected": "11.0.2" } ] }, { "source": "CPE_FIELD", "cpes": [ "cpe:2.3:a:oracle:insurance_rules_palette:*:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_rules_palette:10.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_rules_palette:10.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_rules_palette:11.0.2:*:*:*:*:*:*:*" ], "vendor_product": "oracle:insurance_rules_palette", "extracted_events": [ { "introduced": "11.1.0" }, { "last_affected": "11.3.0" }, { "last_affected": "10.2.0" }, { "last_affected": "10.2.4" }, { "last_affected": "11.0.2" } ] }, { "source": "CPE_FIELD", "cpes": [ "cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:*:*:*:*:*:*:*" ], "vendor_product": "oracle:jdeveloper", "extracted_events": [ { "last_affected": "12.2.1.4.0" } ] }, { "source": "CPE_FIELD", "cpes": [ "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*" ], "vendor_product": "oracle:primavera_p6_enterprise_project_portfolio_management", "extracted_events": [ { "introduced": "16.1.0.0" }, { "last_affected": "16.2.20.1" }, { "introduced": "17.1.0.0" }, { "last_affected": "17.12.17.1" }, { "introduced": "18.1.0.0" }, { "last_affected": "18.8.19.0" }, { "introduced": "19.12.0.0" }, { "last_affected": "19.12.6.0" } ] }, { "source": "CPE_FIELD", "cpes": [ "cpe:2.3:a:oracle:rapid_planning:12.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:rapid_planning:12.2:*:*:*:*:*:*:*" ], "vendor_product": "oracle:rapid_planning", "extracted_events": [ { "last_affected": "12.1" }, { "last_affected": "12.2" } ] }, { "source": "CPE_FIELD", "cpes": [ "cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:16.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:17.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:18.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*" ], "vendor_product": "oracle:retail_customer_management_and_segmentation_foundation", "extracted_events": [ { "last_affected": "16.0" }, { "last_affected": "17.0" }, { "last_affected": "18.0" }, { "last_affected": "19.0" } ] }, { "source": "CPE_FIELD", "cpes": [ "cpe:2.3:a:oracle:retail_integration_bus:15.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_integration_bus:16.0:*:*:*:*:*:*:*" ], "vendor_product": "oracle:retail_integration_bus", "extracted_events": [ { "last_affected": "15.0" }, { "last_affected": "16.0" } ] }, { "source": "CPE_FIELD", "cpes": [ "cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_order_broker:18.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_order_broker:19.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_order_broker:19.1:*:*:*:*:*:*:*" ], "vendor_product": "oracle:retail_order_broker", "extracted_events": [ { "last_affected": "15.0" }, { "last_affected": "16.0" }, { "last_affected": "18.0" }, { "last_affected": "19.0" }, { "last_affected": "19.1" } ] }, { "source": "CPE_FIELD", "cpes": [ "cpe:2.3:a:oracle:retail_price_management:14.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_price_management:14.1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_price_management:15.0.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_price_management:16.0.3.0:*:*:*:*:*:*:*" ], "vendor_product": "oracle:retail_price_management", "extracted_events": [ { "last_affected": "14.0.3" }, { "last_affected": "14.1.3.0" }, { "last_affected": "15.0.3.0" }, { "last_affected": "16.0.3.0" } ] }, { "source": "CPE_FIELD", "cpes": [ "cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*" ], "vendor_product": "oracle:retail_xstore_point_of_service", "extracted_events": [ { "last_affected": "15.0.4" }, { "last_affected": "16.0.6" }, { "last_affected": "17.0.4" }, { "last_affected": "18.0.3" } ] }, { "source": "CPE_FIELD", "cpes": [ "cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3:*:*:*:*:*:*:*" ], "vendor_product": "oracle:storagetek_tape_analytics_sw_tool", "extracted_events": [ { "last_affected": "2.3" } ] }, { "source": "CPE_FIELD", "cpes": [ "cpe:2.3:a:oracle:utilities_framework:*:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:utilities_framework:2.2.0.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:utilities_framework:4.2.0.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:utilities_framework:4.2.0.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:*:*:*:*:*:*:*" ], "vendor_product": "oracle:utilities_framework", "extracted_events": [ { "introduced": "4.3.0.1.0" }, { "last_affected": "4.3.0.6.0" }, { "last_affected": "2.2.0.0.0" }, { "last_affected": "4.2.0.2.0" }, { "last_affected": "4.2.0.3.0" }, { "last_affected": "4.4.0.0.0" }, { "last_affected": "4.4.0.2.0" } ] }, { "source": "CPE_FIELD", "cpes": [ "cpe:2.3:a:oracle:webcenter_portal:11.1.1.9.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*" ], "vendor_product": "oracle:webcenter_portal", "extracted_events": [ { "last_affected": "11.1.1.9.0" }, { "last_affected": "12.2.1.3.0" }, { "last_affected": "12.2.1.4.0" } ] } ] }- References
-
- https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8%40%3Cdev.velocity.apache.org%3E
- https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32%40%3Cdev.velocity.apache.org%3E
- https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51%40%3Cnotifications.freemarker.apache.org%3E
- https://www.oracle.com/security-alerts/cpujul2022.html
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html
- https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
- https://github.com/dom4j/dom4j/issues/87
- https://github.com/dom4j/dom4j/releases/tag/version-2.1.3
- https://security.netapp.com/advisory/ntap-20200518-0002/
- https://usn.ubuntu.com/4575-1/
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1694235
- https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658
- https://github.com/dom4j/dom4j/commits/version-2.0.3
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuoct2021.html