CVE-2020-10683

dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.

References

Affected packages

Git / github.com/dom4j/dom4j

Affected ranges

Type: GIT
Repo: https://github.com/dom4j/dom4j
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

7fbdc6d58623ec0b54b9b44a4738781b65191df1

Fixed

a8228522a99a02146106672a34c104adbda5c658

Affected versions

dom4j-2.*

dom4j-2.0.0-RC1

v2.*

v2.0.0

version-2.*

version-2.0.0

version-2.0.1

version-2.0.2

version-2.0.3

version-2.1.0

version-2.1.1

version-2.1.2

Database specific

vanir_signatures

[
    {
        "source": "https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658",
        "signature_type": "Line",
        "target": {
            "file": "src/main/java/org/dom4j/DocumentHelper.java"
        },
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2020-10683-14b5b696",
        "digest": {
            "line_hashes": [
                "289070234072408585212184418136422221626",
                "314218572258449565639495098578400842484",
                "278425127461858653438666120943008024828",
                "95551258217369462032001028625918395216",
                "269335689628032291606046181545186084783",
                "335124282446112984406807697488474485730",
                "295976830465420063006800175223854572778",
                "158454876039485327762106342600466568364",
                "110959199063786672692093420938466899103",
                "119225822102488723466427082625050319534",
                "333837407954189545298427749804099420545",
                "186041557676415486332699646889213812092",
                "244945934756369770721577164845539335298",
                "294408344992573638591127420391670961600",
                "94682446704296719493119184386352783720",
                "203302141247850905506078496394490268944",
                "97401442897590431512535498408835252155",
                "13269132013862143383972900871129288593",
                "184323935270998219150969352143157667250",
                "96448100332605531161970626826144628343",
                "326488926446971900316708252374919303286",
                "211227091620509928884411587848340298133",
                "77656284585654907979653591554982709768",
                "263019444166773328863955409389462198909",
                "95900888279376354126767471309008386038",
                "120066915136680255485003959707060619625",
                "144230350186019479627581165249710563998",
                "172758673701195064137650803981727570080",
                "297461772894701874577526858597637202567",
                "292510640216103359742832410400968930205",
                "46938245754177380399383629469432394181",
                "316631940602990656772822430627548482514",
                "267399066138777184558893738222718038018",
                "169372279709046818849097903635450645420",
                "55975209775687508165599691128111850802",
                "261147642439077498118534368306055091593",
                "10538986358793603896197580297015164064",
                "51768543087751066337456304881977365452",
                "140494304525946992207110315455624867498"
            ],
            "threshold": 0.9
        }
    },
    {
        "source": "https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658",
        "signature_type": "Function",
        "target": {
            "file": "src/main/java/org/dom4j/DocumentHelper.java",
            "function": "parseText"
        },
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2020-10683-59dd22ba",
        "digest": {
            "function_hash": "135129762196280674451366917854476667246",
            "length": 612.0
        }
    },
    {
        "source": "https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658",
        "signature_type": "Line",
        "target": {
            "file": "src/main/java/org/dom4j/io/SAXHelper.java"
        },
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2020-10683-f0bffcc3",
        "digest": {
            "line_hashes": [
                "214589374113145581172090263854558816062",
                "11057160014776544504723130598664221013",
                "182298396958698324987132515118936066536",
                "328862240158751917490374192294594187922",
                "273652869161698591652267983611380765958",
                "289034456532230014528463402003943529445",
                "274113495049162819455697020409132488328",
                "246037191236006632832713213579410947270",
                "234060024108077448299545469423796721623",
                "102715412356406950219770955940244365114"
            ],
            "threshold": 0.9
        }
    }
]