GHSA-hwj3-m3p6-hj38

Suggest an improvement
Source
https://github.com/advisories/GHSA-hwj3-m3p6-hj38
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-hwj3-m3p6-hj38/GHSA-hwj3-m3p6-hj38.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-hwj3-m3p6-hj38
Aliases
Published
2020-06-05T16:13:36Z
Modified
2024-03-08T05:20:38.388912Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
dom4j allows External Entities by default which might enable XXE attacks
Details

dom4j before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.

Note: This advisory applies to dom4j:dom4j version 1.x legacy artifacts. To resolve this a change to the latest version of org.dom4j:dom4j is recommended.

References

Affected packages

Maven / org.dom4j:dom4j

Package

Name
org.dom4j:dom4j
View open source insights on deps.dev
Purl
pkg:maven/org.dom4j/dom4j

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.3

Affected versions

2.*

2.0.0-RC1
2.0.0
2.0.1
2.0.2

Maven / org.dom4j:dom4j

Package

Name
org.dom4j:dom4j
View open source insights on deps.dev
Purl
pkg:maven/org.dom4j/dom4j

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.1.0
Fixed
2.1.3

Affected versions

2.*

2.1.0
2.1.1

Maven / dom4j:dom4j

Package

Name
dom4j:dom4j
View open source insights on deps.dev
Purl
pkg:maven/dom4j/dom4j

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
1.6.1

Affected versions

1.*

1.1
1.3
1.4
1.4-dev-2
1.4-dev-3
1.4-dev-4
1.4-dev-5
1.4-dev-6
1.4-dev-7
1.4-dev-8
1.5-beta-2
1.5-rc1
1.5
1.5.1
1.5.2
1.6
1.6.1