CVE-2020-10683
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2020-10683
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-10683.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2020-10683
- Aliases
- Downstream
- Related
- Published
- 2020-05-01T19:15:12Z
- Modified
- 2025-09-19T11:31:35.993Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.
- References
-
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1694235
- https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
- https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658
- https://github.com/dom4j/dom4j/commits/version-2.0.3
- https://github.com/dom4j/dom4j/issues/87
- https://github.com/dom4j/dom4j/releases/tag/version-2.1.3
- https://security.netapp.com/advisory/ntap-20200518-0002/
- https://usn.ubuntu.com/4575-1/
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8%40%3Cdev.velocity.apache.org%3E
- https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32%40%3Cdev.velocity.apache.org%3E
- https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51%40%3Cnotifications.freemarker.apache.org%3E
- https://www.oracle.com/security-alerts/cpujul2022.html
Affected packages
Git / github.com/dom4j/dom4j
Affected ranges
- Type
- GIT
- Repo
- https://github.com/dom4j/dom4j
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixed
Affected versions
dom4j-2.*
dom4j-2.0.0-RC1
v2.*
v2.0.0
version-2.*
version-2.0.0
version-2.0.1
version-2.0.2
version-2.0.3
version-2.1.0
version-2.1.1
version-2.1.2
Database specific
{
"vanir_signatures": [
{
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"289070234072408585212184418136422221626",
"314218572258449565639495098578400842484",
"278425127461858653438666120943008024828",
"95551258217369462032001028625918395216",
"269335689628032291606046181545186084783",
"335124282446112984406807697488474485730",
"295976830465420063006800175223854572778",
"158454876039485327762106342600466568364",
"110959199063786672692093420938466899103",
"119225822102488723466427082625050319534",
"333837407954189545298427749804099420545",
"186041557676415486332699646889213812092",
"244945934756369770721577164845539335298",
"294408344992573638591127420391670961600",
"94682446704296719493119184386352783720",
"203302141247850905506078496394490268944",
"97401442897590431512535498408835252155",
"13269132013862143383972900871129288593",
"184323935270998219150969352143157667250",
"96448100332605531161970626826144628343",
"326488926446971900316708252374919303286",
"211227091620509928884411587848340298133",
"77656284585654907979653591554982709768",
"263019444166773328863955409389462198909",
"95900888279376354126767471309008386038",
"120066915136680255485003959707060619625",
"144230350186019479627581165249710563998",
"172758673701195064137650803981727570080",
"297461772894701874577526858597637202567",
"292510640216103359742832410400968930205",
"46938245754177380399383629469432394181",
"316631940602990656772822430627548482514",
"267399066138777184558893738222718038018",
"169372279709046818849097903635450645420",
"55975209775687508165599691128111850802",
"261147642439077498118534368306055091593",
"10538986358793603896197580297015164064",
"51768543087751066337456304881977365452",
"140494304525946992207110315455624867498"
]
},
"source": "https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658",
"id": "CVE-2020-10683-14b5b696",
"signature_version": "v1",
"target": {
"file": "src/main/java/org/dom4j/DocumentHelper.java"
}
},
{
"signature_type": "Function",
"deprecated": false,
"digest": {
"function_hash": "135129762196280674451366917854476667246",
"length": 612.0
},
"source": "https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658",
"id": "CVE-2020-10683-59dd22ba",
"signature_version": "v1",
"target": {
"file": "src/main/java/org/dom4j/DocumentHelper.java",
"function": "parseText"
}
},
{
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"214589374113145581172090263854558816062",
"11057160014776544504723130598664221013",
"182298396958698324987132515118936066536",
"328862240158751917490374192294594187922",
"273652869161698591652267983611380765958",
"289034456532230014528463402003943529445",
"274113495049162819455697020409132488328",
"246037191236006632832713213579410947270",
"234060024108077448299545469423796721623",
"102715412356406950219770955940244365114"
]
},
"source": "https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658",
"id": "CVE-2020-10683-f0bffcc3",
"signature_version": "v1",
"target": {
"file": "src/main/java/org/dom4j/io/SAXHelper.java"
}
}
]
}