CVE-2020-10683

Published: 01 May 2020

dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.

Priority

Medium

CVSS 3 base score: 9.8

Status

Package Release Status
dom4j
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(2.1.3-1)
Ubuntu 20.10 (Groovy Gorilla) Needed

Ubuntu 20.04 LTS (Focal Fossa) Needed

Ubuntu 18.04 LTS (Bionic Beaver) Needed

Ubuntu 16.04 LTS (Xenial Xerus)
Released (1.6.1+dfsg.3-2ubuntu1.1)
Ubuntu 14.04 ESM (Trusty Tahr) Needed

Ubuntu 12.04 ESM (Precise Pangolin) Does not exist