Description

dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.

Remediation

References

http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html

https://bugzilla.redhat.com/show_bug.cgi?id=1694235

https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html

https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658

https://github.com/dom4j/dom4j/commits/version-2.0.3

https://github.com/dom4j/dom4j/issues/87

https://github.com/dom4j/dom4j/releases/tag/version-2.1.3

https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8%40%3Cdev.velocity.apache.org%3E

https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32%40%3Cdev.velocity.apache.org%3E

https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51%40%3Cnotifications.freemarker.apache.org%3E

https://security.netapp.com/advisory/ntap-20200518-0002/

https://usn.ubuntu.com/4575-1/

https://www.oracle.com//security-alerts/cpujul2021.html

https://www.oracle.com/security-alerts/cpuApr2021.html

https://www.oracle.com/security-alerts/cpujan2021.html

https://www.oracle.com/security-alerts/cpujan2022.html

https://www.oracle.com/security-alerts/cpujul2020.html

https://www.oracle.com/security-alerts/cpujul2022.html

https://www.oracle.com/security-alerts/cpuoct2020.html

https://www.oracle.com/security-alerts/cpuoct2021.html

Related Vulnerabilities

CVE-2020-8175 Vulnerability in maven package org.webjars.npm:jpeg-js

CVE-2022-0144 Vulnerability in npm package shelljs

CVE-2022-43410 Vulnerability in maven package org.jenkins-ci.plugins:mercurial

CVE-2018-1000865 Vulnerability in maven package org.kohsuke:groovy-sandbox

CVE-2022-26884 Vulnerability in maven package org.apache.dolphinscheduler:dolphinscheduler-server

Severity

Critical

Classification

CWE-611 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Third Party Advisory Issue Tracking Patch Release Notes