CVE-2020-10683 : dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Enti

dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.

Published 2020-05-01 19:15:13

Updated 2022-07-25 18:15:17

Source MITRE

View at NVD, CVE.org

Vulnerability category: XML external entity (XXE) injection

Products affected by CVE-2020-10683

Oracle » Jdeveloper » Version: 12.2.1.4.0
cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:*:*:*:*:*:*:*
Matching versions
Oracle » Fusion Middleware » Version: 12.2.1.4.0
cpe:2.3:a:oracle:fusion_middleware:12.2.1.4.0:*:*:*:*:*:*:*
Matching versions
Oracle » Application Testing Suite » Version: 13.3.0.1
cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Xstore Point Of Service » Version: 15.0.4
cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0.4:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Xstore Point Of Service » Version: 16.0.6
cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Xstore Point Of Service » Version: 17.0.4
cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Xstore Point Of Service » Version: 18.0.3
cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Integration Bus » Version: 15.0
cpe:2.3:a:oracle:retail_integration_bus:15.0:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Integration Bus » Version: 16.0
cpe:2.3:a:oracle:retail_integration_bus:16.0:*:*:*:*:*:*:*
Matching versions
Oracle » Documaker
Versions from including (>=) 12.6.0 and up to, including, (<=) 12.6.4
cpe:2.3:a:oracle:documaker:*:*:*:*:*:*:*:*
Matching versions
Oracle » Insurance Policy Administration J2ee
Versions from including (>=) 11.1.0 and up to, including, (<=) 11.3.0
cpe:2.3:a:oracle:insurance_policy_administration_j2ee:*:*:*:*:*:*:*:*
Matching versions
Oracle » Insurance Policy Administration J2ee » Version: 10.2.0
cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.2.0:*:*:*:*:*:*:*
Matching versions
Oracle » Insurance Policy Administration J2ee » Version: 10.2.4
cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.2.4:*:*:*:*:*:*:*
Matching versions
Oracle » Insurance Policy Administration J2ee » Version: 11.0.2
cpe:2.3:a:oracle:insurance_policy_administration_j2ee:11.0.2:*:*:*:*:*:*:*
Matching versions
Oracle » Insurance Rules Palette
Versions from including (>=) 11.1.0 and up to, including, (<=) 11.3.0
cpe:2.3:a:oracle:insurance_rules_palette:*:*:*:*:*:*:*:*
Matching versions
Oracle » Insurance Rules Palette » Version: 10.2.0
cpe:2.3:a:oracle:insurance_rules_palette:10.2.0:*:*:*:*:*:*:*
Matching versions
Oracle » Insurance Rules Palette » Version: 10.2.4
cpe:2.3:a:oracle:insurance_rules_palette:10.2.4:*:*:*:*:*:*:*
Matching versions
Oracle » Insurance Rules Palette » Version: 11.0.2
cpe:2.3:a:oracle:insurance_rules_palette:11.0.2:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera P6 Enterprise Project Portfolio Management
Versions from including (>=) 16.1.0.0 and up to, including, (<=) 16.2.20.1
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera P6 Enterprise Project Portfolio Management
Versions from including (>=) 19.12.0.0 and up to, including, (<=) 19.12.6.0
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera P6 Enterprise Project Portfolio Management
Versions from including (>=) 17.1.0.0 and up to, including, (<=) 17.12.17.1
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera P6 Enterprise Project Portfolio Management
Versions from including (>=) 18.1.0.0 and up to, including, (<=) 18.8.19.0
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*
Matching versions
Oracle » Health Sciences Information Manager » Version: 3.0.1
cpe:2.3:a:oracle:health_sciences_information_manager:3.0.1:*:*:*:*:*:*:*
Matching versions
Oracle » Enterprise Manager Base Platform » Version: 13.4.0.0
cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Platform
Versions from including (>=) 2.4.0 and up to, including, (<=) 2.10.0
cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:*
Matching versions
Oracle » Data Integrator » Version: 12.2.1.3.0
cpe:2.3:a:oracle:data_integrator:12.2.1.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Data Integrator » Version: 12.2.1.4.0
cpe:2.3:a:oracle:data_integrator:12.2.1.4.0:*:*:*:*:*:*:*
Matching versions
Oracle » Flexcube Core Banking » Version: 11.7.0
cpe:2.3:a:oracle:flexcube_core_banking:11.7.0:*:*:*:*:*:*:*
Matching versions
Oracle » Flexcube Core Banking » Version: 11.8.0
cpe:2.3:a:oracle:flexcube_core_banking:11.8.0:*:*:*:*:*:*:*
Matching versions
Oracle » Flexcube Core Banking » Version: 11.9.0
cpe:2.3:a:oracle:flexcube_core_banking:11.9.0:*:*:*:*:*:*:*
Matching versions
Oracle » Flexcube Core Banking » Version: 11.10.0
cpe:2.3:a:oracle:flexcube_core_banking:11.10.0:*:*:*:*:*:*:*
Matching versions
Oracle » Webcenter Portal » Version: 12.2.1.3.0
cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Webcenter Portal » Version: 11.1.1.9.0
cpe:2.3:a:oracle:webcenter_portal:11.1.1.9.0:*:*:*:*:*:*:*
Matching versions
Oracle » Webcenter Portal » Version: 12.2.1.4.0
cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*
Matching versions
Oracle » Financial Services Analytical Applications Infrastructure
Versions from including (>=) 8.0.6 and up to, including, (<=) 8.1.0
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Unified Inventory Management » Version: 7.4.0
cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Unified Inventory Management » Version: 7.3.0
cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Business Process Management Suite » Version: 12.2.1.3.0
cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Business Process Management Suite » Version: 12.2.1.4.0
cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Customer Management And Segmentation Foundation » Version: 17.0
cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:17.0:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Customer Management And Segmentation Foundation » Version: 16.0
cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:16.0:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Customer Management And Segmentation Foundation » Version: 18.0
cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:18.0:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Customer Management And Segmentation Foundation » Version: 19.0
cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*
Matching versions
Oracle » Endeca Information Discovery Integrator » Version: 3.2.0
cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.2.0:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Diameter Signaling Router
Versions from including (>=) 8.0.0 and up to, including, (<=) 8.2.2
cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Order Broker » Version: 15.0
cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Order Broker » Version: 16.0
cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Order Broker » Version: 18.0
cpe:2.3:a:oracle:retail_order_broker:18.0:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Order Broker » Version: 19.0
cpe:2.3:a:oracle:retail_order_broker:19.0:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Order Broker » Version: 19.1
cpe:2.3:a:oracle:retail_order_broker:19.1:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Application Session Controller » Version: 3.9m0p1
cpe:2.3:a:oracle:communications_application_session_controller:3.9m0p1:*:*:*:*:*:*:*
Matching versions
Oracle » Enterprise Data Quality » Version: 12.2.1.3.0
cpe:2.3:a:oracle:enterprise_data_quality:12.2.1.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Enterprise Data Quality » Version: 11.1.1.9.0
cpe:2.3:a:oracle:enterprise_data_quality:11.1.1.9.0:*:*:*:*:*:*:*
Matching versions
Oracle » Utilities Framework
Versions from including (>=) 4.3.0.1.0 and up to, including, (<=) 4.3.0.6.0
cpe:2.3:a:oracle:utilities_framework:*:*:*:*:*:*:*:*
Matching versions
Oracle » Utilities Framework » Version: 4.2.0.2.0
cpe:2.3:a:oracle:utilities_framework:4.2.0.2.0:*:*:*:*:*:*:*
Matching versions
Oracle » Utilities Framework » Version: 4.2.0.3.0
cpe:2.3:a:oracle:utilities_framework:4.2.0.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Utilities Framework » Version: 4.4.0.0.0
cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:*:*:*:*:*:*:*
Matching versions
Oracle » Utilities Framework » Version: 2.2.0.0.0
cpe:2.3:a:oracle:utilities_framework:2.2.0.0.0:*:*:*:*:*:*:*
Matching versions
Oracle » Utilities Framework » Version: 4.4.0.2.0
cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:*:*:*:*:*:*:*
Matching versions
Oracle » Agile Plm » Version: 9.3.5
cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*
Matching versions
Oracle » Agile Plm » Version: 9.3.3
cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*
Matching versions
Oracle » Rapid Planning » Version: 12.1
cpe:2.3:a:oracle:rapid_planning:12.1:*:*:*:*:*:*:*
Matching versions
Oracle » Rapid Planning » Version: 12.2
cpe:2.3:a:oracle:rapid_planning:12.2:*:*:*:*:*:*:*
Matching versions
Oracle » Storagetek Tape Analytics Sw Tool » Version: 2.3
cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3:*:*:*:*:*:*:*
Matching versions
Oracle » Health Sciences Empirica Signal » Version: 9.0
cpe:2.3:a:oracle:health_sciences_empirica_signal:9.0:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Price Management » Version: 14.0.3
cpe:2.3:a:oracle:retail_price_management:14.0.3:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Price Management » Version: 14.1.3.0
cpe:2.3:a:oracle:retail_price_management:14.1.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Price Management » Version: 15.0.3.0
cpe:2.3:a:oracle:retail_price_management:15.0.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Price Management » Version: 16.0.3.0
cpe:2.3:a:oracle:retail_price_management:16.0.3.0:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 16.04 ESM Edition
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
Matching versions
Opensuse » Leap » Version: 15.1
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
Matching versions
Netapp » Oncommand Workflow Automation » Version: N/A
cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
Matching versions
Netapp » Snap Creator Framework » Version: N/A
cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*
Matching versions
Netapp » Snapmanager » Version: N/A For Oracle
cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:oracle:*:*
Matching versions
Netapp » Snapmanager » Version: N/A For SAP
cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:sap:*:*
Matching versions
Netapp » Snapcenter » Version: N/A
cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
Matching versions
Netapp » Oncommand Api Services » Version: N/A
cpe:2.3:a:netapp:oncommand_api_services:-:*:*:*:*:*:*:*
Matching versions
Dom4j Project » Dom4j
Versions before (<) 2.0.3
cpe:2.3:a:dom4j_project:dom4j:*:*:*:*:*:*:*:*
Matching versions
Dom4j Project » Dom4j
Versions from including (>=) 2.1.0 and before (<) 2.1.3
cpe:2.3:a:dom4j_project:dom4j:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2020-10683

EPSS FAQ

0.85%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 82 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-10683

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2020-10683

CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2020-10683

https://www.oracle.com/security-alerts/cpuoct2020.html

Oracle Critical Patch Update Advisory - October 2020
Patch;Third Party Advisory

CVEs referencing this url
https://github.com/dom4j/dom4j/commits/version-2.0.3

Commits · dom4j/dom4j · GitHub
Patch;Third Party Advisory
https://github.com/dom4j/dom4j/releases/tag/version-2.1.3

Release version-2.1.3 · dom4j/dom4j · GitHub
Release Notes;Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html

Oracle Critical Patch Update Advisory - July 2020
Third Party Advisory

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html

[security-announce] openSUSE-SU-2020:0719-1: important: Security update
Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html

Oracle Critical Patch Update Advisory - July 2021
Patch;Third Party Advisory

CVEs referencing this url
https://www.oracle.com/security-alerts/cpujan2022.html

Oracle Critical Patch Update Advisory - January 2022
Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8@%3Cdev.velocity.apache.org%3E

Use of external DTDs - CVE-2020-10683 - Pony Mail
Mailing List;Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1694235

1694235 – (CVE-2020-10683) CVE-2020-10683 dom4j: XML External Entity vulnerability in default SAX parser
Issue Tracking;Patch;Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html

Oracle Critical Patch Update Advisory - January 2021
Patch;Third Party Advisory

CVEs referencing this url
https://www.oracle.com/security-alerts/cpuApr2021.html

Oracle Critical Patch Update Advisory - April 2021
Patch;Third Party Advisory

CVEs referencing this url
https://usn.ubuntu.com/4575-1/

USN-4575-1: dom4j vulnerability | Ubuntu security notices | Ubuntu
Third Party Advisory
https://github.com/dom4j/dom4j/issues/87

SAXReader uses system XMLReaderFactory.createXMLReader() or SAXParserFactory.newInstance().newSAXParser() which has unsecure defaults · Issue #87 · dom4j/dom4j · GitHub
Third Party Advisory
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html

XML External Entity Prevention · OWASP Cheat Sheet Series
Third Party Advisory
https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32@%3Cdev.velocity.apache.org%3E

Re: Use of external DTDs - CVE-2020-10683 - Pony Mail
Mailing List;Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html

Oracle Critical Patch Update Advisory - October 2021
Patch;Third Party Advisory

CVEs referencing this url
https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658

SAXReader uses system default XMLReader with its defaults. New factor… · dom4j/dom4j@a822852 · GitHub
Patch;Third Party Advisory
https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51@%3Cnotifications.freemarker.apache.org%3E

[jira] [Created] (FREEMARKER-190) The jar dom4j has known security issue that Freemarker compiles dependend on it - Pony Mail
Mailing List;Third Party Advisory

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20200518-0002/

CVE-2020-10683 Dom4j Vulnerability in NetApp Products | NetApp Product Security
Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html

Oracle Critical Patch Update Advisory - July 2022

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2020-10683

Products affected by CVE-2020-10683

Exploit prediction scoring system (EPSS) score for CVE-2020-10683

CVSS scores for CVE-2020-10683

CWE ids for CVE-2020-10683

References for CVE-2020-10683