CVE-2020-10683
- Source
- https://cve.org/CVERecord?id=CVE-2020-10683
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-10683.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2020-10683
- Aliases
- Downstream
- Related
- Published
- 2020-05-01T19:15:12.927Z
- Modified
- 2026-05-30T15:46:31.763767Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.
- Database specific
{ "unresolved_ranges": [ { "extracted_events": [ { "introduced": "2.4.0" }, { "last_affected": "2.10.0" } ], "cpes": [ "cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:*" ], "vendor_product": "oracle:banking_platform", "source": "CPE_RANGE" }, { "extracted_events": [ { "introduced": "8.0.0" }, { "last_affected": "8.2.2" } ], "cpes": [ "cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*" ], "vendor_product": "oracle:communications_diameter_signaling_router", "source": "CPE_RANGE" }, { "extracted_events": [ { "introduced": "12.6.0" }, { "last_affected": "12.6.4" } ], "cpes": [ "cpe:2.3:a:oracle:documaker:*:*:*:*:*:*:*:*" ], "vendor_product": "oracle:documaker", "source": "CPE_RANGE" }, { "extracted_events": [ { "introduced": "8.0.6" }, { "last_affected": "8.1.0" } ], "cpes": [ "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*" ], "vendor_product": "oracle:financial_services_analytical_applications_infrastructure", "source": "CPE_RANGE" }, { "extracted_events": [ { "introduced": "11.1.0" }, { "last_affected": "11.3.0" } ], "cpes": [ "cpe:2.3:a:oracle:insurance_policy_administration_j2ee:*:*:*:*:*:*:*:*" ], "vendor_product": "oracle:insurance_policy_administration_j2ee", "source": "CPE_RANGE" }, { "extracted_events": [ { "introduced": "11.1.0" }, { "last_affected": "11.3.0" } ], "cpes": [ "cpe:2.3:a:oracle:insurance_rules_palette:*:*:*:*:*:*:*:*" ], "vendor_product": "oracle:insurance_rules_palette", "source": "CPE_RANGE" }, { "extracted_events": [ { "introduced": "16.1.0.0" }, { "last_affected": "16.2.20.1" }, { "introduced": "17.1.0.0" }, { "last_affected": "17.12.17.1" }, { "introduced": "18.1.0.0" }, { "last_affected": "18.8.19.0" }, { "introduced": "19.12.0.0" }, { "last_affected": "19.12.6.0" } ], "cpes": [ "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*" ], "vendor_product": "oracle:primavera_p6_enterprise_project_portfolio_management", "source": "CPE_RANGE" }, { "extracted_events": [ { "introduced": "4.3.0.1.0" }, { "last_affected": "4.3.0.6.0" } ], "cpes": [ "cpe:2.3:a:oracle:utilities_framework:*:*:*:*:*:*:*:*" ], "vendor_product": "oracle:utilities_framework", "source": "CPE_RANGE" }, { "extracted_events": [ { "last_affected": "16.04" } ], "cpes": [ "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*" ], "vendor_product": "canonical:ubuntu_linux", "source": "CPE_STRING" }, { "extracted_events": [ { "last_affected": "15.1" } ], "cpes": [ "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*" ], "vendor_product": "opensuse:leap", "source": "CPE_STRING" }, { "extracted_events": [ { "last_affected": "9.3.3" }, { "last_affected": "9.3.5" } ], "cpes": [ "cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*" ], "vendor_product": "oracle:agile_plm", "source": "CPE_STRING" }, { "extracted_events": [ { "last_affected": "13.3.0.1" } ], "cpes": [ "cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*" ], "vendor_product": "oracle:application_testing_suite", "source": "CPE_STRING" }, { "extracted_events": [ { "last_affected": "12.2.1.3.0" }, { "last_affected": "12.2.1.4.0" } ], "cpes": [ "cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*" ], "vendor_product": "oracle:business_process_management_suite", "source": "CPE_STRING" }, { "extracted_events": [ { "last_affected": "3.9m0p1" } ], "cpes": [ "cpe:2.3:a:oracle:communications_application_session_controller:3.9m0p1:*:*:*:*:*:*:*" ], "vendor_product": "oracle:communications_application_session_controller", "source": "CPE_STRING" }, { "extracted_events": [ { "last_affected": "7.3.0" }, { "last_affected": "7.4.0" } ], "cpes": [ "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*" ], "vendor_product": "oracle:communications_unified_inventory_management", "source": "CPE_STRING" }, { "extracted_events": [ { "last_affected": "12.2.1.3.0" }, { "last_affected": "12.2.1.4.0" } ], "cpes": [ "cpe:2.3:a:oracle:data_integrator:12.2.1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:data_integrator:12.2.1.4.0:*:*:*:*:*:*:*" ], "vendor_product": "oracle:data_integrator", "source": "CPE_STRING" }, { "extracted_events": [ { "last_affected": "3.2.0" } ], "cpes": [ "cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.2.0:*:*:*:*:*:*:*" ], "vendor_product": "oracle:endeca_information_discovery_integrator", "source": "CPE_STRING" }, { "extracted_events": [ { "last_affected": "11.1.1.9.0" }, { "last_affected": "12.2.1.3.0" } ], "cpes": [ "cpe:2.3:a:oracle:enterprise_data_quality:11.1.1.9.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:enterprise_data_quality:12.2.1.3.0:*:*:*:*:*:*:*" ], "vendor_product": "oracle:enterprise_data_quality", "source": "CPE_STRING" }, { "extracted_events": [ { "last_affected": "13.4.0.0" } ], "cpes": [ "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*" ], "vendor_product": "oracle:enterprise_manager_base_platform", "source": "CPE_STRING" }, { "extracted_events": [ { "last_affected": "11.7.0" }, { "last_affected": "11.8.0" }, { "last_affected": "11.9.0" }, { "last_affected": "11.10.0" } ], "cpes": [ "cpe:2.3:a:oracle:flexcube_core_banking:11.10.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:flexcube_core_banking:11.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:flexcube_core_banking:11.8.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:flexcube_core_banking:11.9.0:*:*:*:*:*:*:*" ], "vendor_product": "oracle:flexcube_core_banking", "source": "CPE_STRING" }, { "extracted_events": [ { "last_affected": "12.2.1.4.0" } ], "cpes": [ "cpe:2.3:a:oracle:fusion_middleware:12.2.1.4.0:*:*:*:*:*:*:*" ], "vendor_product": "oracle:fusion_middleware", "source": "CPE_STRING" }, { "extracted_events": [ { "last_affected": "9.0" } ], "cpes": [ "cpe:2.3:a:oracle:health_sciences_empirica_signal:9.0:*:*:*:*:*:*:*" ], "vendor_product": "oracle:health_sciences_empirica_signal", "source": "CPE_STRING" }, { "extracted_events": [ { "last_affected": "3.0.1" } ], "cpes": [ "cpe:2.3:a:oracle:health_sciences_information_manager:3.0.1:*:*:*:*:*:*:*" ], "vendor_product": "oracle:health_sciences_information_manager", "source": "CPE_STRING" }, { "extracted_events": [ { "last_affected": "10.2.0" }, { "last_affected": "10.2.4" }, { "last_affected": "11.0.2" } ], "cpes": [ "cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_policy_administration_j2ee:11.0.2:*:*:*:*:*:*:*" ], "vendor_product": "oracle:insurance_policy_administration_j2ee", "source": "CPE_STRING" }, { "extracted_events": [ { "last_affected": "10.2.0" }, { "last_affected": "10.2.4" }, { "last_affected": "11.0.2" } ], "cpes": [ "cpe:2.3:a:oracle:insurance_rules_palette:10.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_rules_palette:10.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_rules_palette:11.0.2:*:*:*:*:*:*:*" ], "vendor_product": "oracle:insurance_rules_palette", "source": "CPE_STRING" }, { "extracted_events": [ { "last_affected": "12.2.1.4.0" } ], "cpes": [ "cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:*:*:*:*:*:*:*" ], "vendor_product": "oracle:jdeveloper", "source": "CPE_STRING" }, { "extracted_events": [ { "last_affected": "12.1" }, { "last_affected": "12.2" } ], "cpes": [ "cpe:2.3:a:oracle:rapid_planning:12.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:rapid_planning:12.2:*:*:*:*:*:*:*" ], "vendor_product": "oracle:rapid_planning", "source": "CPE_STRING" }, { "extracted_events": [ { "last_affected": "16.0" }, { "last_affected": "17.0" }, { "last_affected": "18.0" }, { "last_affected": "19.0" } ], "cpes": [ "cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:16.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:17.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:18.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*" ], "vendor_product": "oracle:retail_customer_management_and_segmentation_foundation", "source": "CPE_STRING" }, { "extracted_events": [ { "last_affected": "15.0" }, { "last_affected": "16.0" } ], "cpes": [ "cpe:2.3:a:oracle:retail_integration_bus:15.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_integration_bus:16.0:*:*:*:*:*:*:*" ], "vendor_product": "oracle:retail_integration_bus", "source": "CPE_STRING" }, { "extracted_events": [ { "last_affected": "15.0" }, { "last_affected": "16.0" }, { "last_affected": "18.0" }, { "last_affected": "19.0" }, { "last_affected": "19.1" } ], "cpes": [ "cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_order_broker:18.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_order_broker:19.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_order_broker:19.1:*:*:*:*:*:*:*" ], "vendor_product": "oracle:retail_order_broker", "source": "CPE_STRING" }, { "extracted_events": [ { "last_affected": "14.0.3" }, { "last_affected": "14.1.3.0" }, { "last_affected": "15.0.3.0" }, { "last_affected": "16.0.3.0" } ], "cpes": [ "cpe:2.3:a:oracle:retail_price_management:14.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_price_management:14.1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_price_management:15.0.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_price_management:16.0.3.0:*:*:*:*:*:*:*" ], "vendor_product": "oracle:retail_price_management", "source": "CPE_STRING" }, { "extracted_events": [ { "last_affected": "15.0.4" }, { "last_affected": "16.0.6" }, { "last_affected": "17.0.4" }, { "last_affected": "18.0.3" } ], "cpes": [ "cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*" ], "vendor_product": "oracle:retail_xstore_point_of_service", "source": "CPE_STRING" }, { "extracted_events": [ { "last_affected": "2.3" } ], "cpes": [ "cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3:*:*:*:*:*:*:*" ], "vendor_product": "oracle:storagetek_tape_analytics_sw_tool", "source": "CPE_STRING" }, { "extracted_events": [ { "last_affected": "2.2.0.0.0" }, { "last_affected": "4.2.0.2.0" }, { "last_affected": "4.2.0.3.0" }, { "last_affected": "4.4.0.0.0" }, { "last_affected": "4.4.0.2.0" } ], "cpes": [ "cpe:2.3:a:oracle:utilities_framework:2.2.0.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:utilities_framework:4.2.0.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:utilities_framework:4.2.0.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:*:*:*:*:*:*:*" ], "vendor_product": "oracle:utilities_framework", "source": "CPE_STRING" }, { "extracted_events": [ { "last_affected": "11.1.1.9.0" }, { "last_affected": "12.2.1.3.0" }, { "last_affected": "12.2.1.4.0" } ], "cpes": [ "cpe:2.3:a:oracle:webcenter_portal:11.1.1.9.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*" ], "vendor_product": "oracle:webcenter_portal", "source": "CPE_STRING" } ] }- References
-
- https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8%40%3Cdev.velocity.apache.org%3E
- https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32%40%3Cdev.velocity.apache.org%3E
- https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51%40%3Cnotifications.freemarker.apache.org%3E
- https://www.oracle.com/security-alerts/cpujul2022.html
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html
- https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
- https://github.com/dom4j/dom4j/issues/87
- https://github.com/dom4j/dom4j/releases/tag/version-2.1.3
- https://security.netapp.com/advisory/ntap-20200518-0002/
- https://usn.ubuntu.com/4575-1/
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1694235
- https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658
- https://github.com/dom4j/dom4j/commits/version-2.0.3
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
Affected packages
Git / github.com/dom4j/dom4j
Affected ranges
- Type
- GIT
- Repo
- https://github.com/dom4j/dom4j
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedIntroducedFixedFixed
- Database specific
{ "extracted_events": [ { "introduced": "0" }, { "fixed": "2.0.3" }, { "introduced": "2.1.0" }, { "fixed": "2.1.3" } ], "cpe": "cpe:2.3:a:dom4j_project:dom4j:*:*:*:*:*:*:*:*", "source": [ "CPE_RANGE", "REFERENCES" ] }
Affected versions
dom4j-2.*
dom4j-2.0.0-RC1
v2.*
v2.0.0
version-2.*
version-2.0.0
version-2.0.1
version-2.0.2
version-2.0.3
version-2.1.2
Database specific
vanir_signatures
[
{
"digest": {
"line_hashes": [
"289070234072408585212184418136422221626",
"314218572258449565639495098578400842484",
"278425127461858653438666120943008024828",
"95551258217369462032001028625918395216",
"269335689628032291606046181545186084783",
"335124282446112984406807697488474485730",
"295976830465420063006800175223854572778",
"158454876039485327762106342600466568364",
"110959199063786672692093420938466899103",
"119225822102488723466427082625050319534",
"333837407954189545298427749804099420545",
"186041557676415486332699646889213812092",
"244945934756369770721577164845539335298",
"294408344992573638591127420391670961600",
"94682446704296719493119184386352783720",
"203302141247850905506078496394490268944",
"97401442897590431512535498408835252155",
"13269132013862143383972900871129288593",
"184323935270998219150969352143157667250",
"96448100332605531161970626826144628343",
"326488926446971900316708252374919303286",
"211227091620509928884411587848340298133",
"77656284585654907979653591554982709768",
"263019444166773328863955409389462198909",
"95900888279376354126767471309008386038",
"120066915136680255485003959707060619625",
"144230350186019479627581165249710563998",
"172758673701195064137650803981727570080",
"297461772894701874577526858597637202567",
"292510640216103359742832410400968930205",
"46938245754177380399383629469432394181",
"316631940602990656772822430627548482514",
"267399066138777184558893738222718038018",
"169372279709046818849097903635450645420",
"55975209775687508165599691128111850802",
"261147642439077498118534368306055091593",
"10538986358793603896197580297015164064",
"51768543087751066337456304881977365452",
"140494304525946992207110315455624867498"
],
"threshold": 0.9
},
"id": "CVE-2020-10683-14b5b696",
"signature_version": "v1",
"target": {
"file": "src/main/java/org/dom4j/DocumentHelper.java"
},
"deprecated": false,
"signature_type": "Line",
"source": "https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658"
},
{
"digest": {
"function_hash": "135129762196280674451366917854476667246",
"length": 612.0
},
"id": "CVE-2020-10683-59dd22ba",
"signature_version": "v1",
"target": {
"file": "src/main/java/org/dom4j/DocumentHelper.java",
"function": "parseText"
},
"deprecated": false,
"signature_type": "Function",
"source": "https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658"
},
{
"digest": {
"line_hashes": [
"214589374113145581172090263854558816062",
"11057160014776544504723130598664221013",
"182298396958698324987132515118936066536",
"328862240158751917490374192294594187922",
"273652869161698591652267983611380765958",
"289034456532230014528463402003943529445",
"274113495049162819455697020409132488328",
"246037191236006632832713213579410947270",
"234060024108077448299545469423796721623",
"102715412356406950219770955940244365114"
],
"threshold": 0.9
},
"id": "CVE-2020-10683-f0bffcc3",
"signature_version": "v1",
"target": {
"file": "src/main/java/org/dom4j/io/SAXHelper.java"
},
"deprecated": false,
"signature_type": "Line",
"source": "https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658"
}
]
source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-10683.json"
vanir_signatures_modified
"2026-05-30T15:46:31Z"