Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2020-10683

dom4j allows External Entities by default which might enable XXE attacks

Description

dom4j before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.

Note: This advisory applies to dom4j:dom4j version 1.x legacy artifacts. To resolve this a change to the latest version of org.dom4j:dom4j is recommended.

Base CVSS

9.8

EPSS Score

2.35%

Introduced Version

0

Fix Available

2.0.3,2.1.2

Fix without Upgrading

Available Patches

Package

CVEs Fixed

Lines of Code Changed

org.dom4j:dom4j

References

https://www.oracle.com/security-alerts/cpujan2022.html

https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51@%3Cnotifications.freemarker.apache.org%3E

https://github.com/dom4j/dom4j/commit/1707bf3d898a8ada3b213acb0e3b38f16eaae73d

https://github.com/dom4j/dom4j/releases/tag/version-2.1.3

https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32@%3Cdev.velocity.apache.org%3E

https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html

https://github.com/dom4j/dom4j/issues/87

http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html

https://www.oracle.com/security-alerts/cpuoct2020.html

https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8@%3Cdev.velocity.apache.org%3E

https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658

https://usn.ubuntu.com/4575-1

https://github.com/dom4j/dom4j

https://github.com/dom4j/dom4j/commits/version-2.0.3

https://www.oracle.com/security-alerts/cpuApr2021.html

https://nvd.nist.gov/vuln/detail/CVE-2020-10683

https://www.oracle.com/security-alerts/cpuoct2021.html

https://www.oracle.com//security-alerts/cpujul2021.html

https://www.oracle.com/security-alerts/cpujan2021.html

https://security.netapp.com/advisory/ntap-20200518-0002

https://bugzilla.redhat.com/show_bug.cgi?id=1694235

https://www.oracle.com/security-alerts/cpujul2020.html

https://www.oracle.com/security-alerts/cpujul2022.html

AppSec for the Software Development Revolution

Endor Labs builds a complete graph of your software estate, so teams can pinpoint and fix critical risks in complex, dependency-rich code—whether it was written by humans or AI.

Welcome to the resistance

Oops! Something went wrong, please try again.