CVE-2020-10683
high-risk
Published 2020-05-01
dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.
Do I need to act?
~
7.0% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 177069f0e96a40ddab5ab7f41519ec29e5a39652, 7fbdc6d58623ec0b54b9b44a4738781b65191df1, a8228522a99a02146106672a34c104adbda5c658
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (20)
Dom4J
Enterprise Data Quality
Enterprise Data Quality
Flexcube Core Banking
Affected Vendors
References (40)
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=1694235
Third Party Advisory
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Ch...
Third Party Advisory
https://github.com/dom4j/dom4j/issues/87
Third Party Advisory
https://security.netapp.com/advisory/ntap-20200518-0002/
Third Party Advisory
https://usn.ubuntu.com/4575-1/
Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html
Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html
and 20 more references
69
/ 100
high-risk
Severity
32/34 · Critical
Exploitability
9/34 · Low
Exposure
28/34 · Critical