CVE-2020-10683
Published: 1 May 2020
dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.
Priority
Status
Package | Release | Status |
---|---|---|
dom4j Launchpad, Ubuntu, Debian |
bionic |
Needed
|
eoan |
Ignored
(end of life)
|
|
focal |
Needed
|
|
groovy |
Ignored
(end of life)
|
|
hirsute |
Not vulnerable
(2.1.3-1)
|
|
impish |
Not vulnerable
(2.1.3-1)
|
|
jammy |
Not vulnerable
(2.1.3-1)
|
|
kinetic |
Not vulnerable
(2.1.3-1)
|
|
lunar |
Not vulnerable
(2.1.3-1)
|
|
mantic |
Not vulnerable
(2.1.3-1)
|
|
trusty |
Needs triage
|
|
upstream |
Needs triage
|
|
xenial |
Released
(1.6.1+dfsg.3-2ubuntu1.1)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 9.8 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |