{"id":"CVE-2020-10683","details":"dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.","aliases":["GHSA-hwj3-m3p6-hj38"],"modified":"2026-05-16T03:55:27.730799828Z","published":"2020-05-01T19:15:12.927Z","related":["SUSE-SU-2020:1382-1","SUSE-SU-2020:1383-1","openSUSE-SU-2020:0719-1","openSUSE-SU-2024:10724-1"],"database_specific":{"unresolved_ranges":[{"cpes":["cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*"],"source":"CPE_FIELD","extracted_events":[{"last_affected":"16.04"}],"vendor_product":"canonical:ubuntu_linux"},{"vendor_product":"opensuse:leap","source":"CPE_FIELD","extracted_events":[{"last_affected":"15.1"}],"cpes":["cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*"]},{"cpes":["cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*","cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*"],"source":"CPE_FIELD","extracted_events":[{"last_affected":"9.3.3"},{"last_affected":"9.3.5"}],"vendor_product":"oracle:agile_plm"},{"cpes":["cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*"],"source":"CPE_FIELD","extracted_events":[{"last_affected":"13.3.0.1"}],"vendor_product":"oracle:application_testing_suite"},{"cpes":["cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:*"],"source":"CPE_FIELD","extracted_events":[{"introduced":"2.4.0"},{"last_affected":"2.10.0"}],"vendor_product":"oracle:banking_platform"},{"vendor_product":"oracle:business_process_management_suite","source":"CPE_FIELD","extracted_events":[{"last_affected":"12.2.1.3.0"},{"last_affected":"12.2.1.4.0"}],"cpes":["cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*"]},{"cpes":["cpe:2.3:a:oracle:communications_application_session_controller:3.9m0p1:*:*:*:*:*:*:*"],"source":"CPE_FIELD","extracted_events":[{"last_affected":"3.9m0p1"}],"vendor_product":"oracle:communications_application_session_controller"},{"cpes":["cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*"],"source":"CPE_FIELD","extracted_events":[{"introduced":"8.0.0"},{"last_affected":"8.2.2"}],"vendor_product":"oracle:communications_diameter_signaling_router"},{"vendor_product":"oracle:communications_unified_inventory_management","source":"CPE_FIELD","extracted_events":[{"last_affected":"7.3.0"},{"last_affected":"7.4.0"}],"cpes":["cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*"]},{"vendor_product":"oracle:data_integrator","extracted_events":[{"last_affected":"12.2.1.3.0"},{"last_affected":"12.2.1.4.0"}],"source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:data_integrator:12.2.1.3.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:data_integrator:12.2.1.4.0:*:*:*:*:*:*:*"]},{"vendor_product":"oracle:documaker","extracted_events":[{"introduced":"12.6.0"},{"last_affected":"12.6.4"}],"source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:documaker:*:*:*:*:*:*:*:*"]},{"vendor_product":"oracle:endeca_information_discovery_integrator","source":"CPE_FIELD","extracted_events":[{"last_affected":"3.2.0"}],"cpes":["cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.2.0:*:*:*:*:*:*:*"]},{"vendor_product":"oracle:enterprise_data_quality","source":"CPE_FIELD","extracted_events":[{"last_affected":"11.1.1.9.0"},{"last_affected":"12.2.1.3.0"}],"cpes":["cpe:2.3:a:oracle:enterprise_data_quality:11.1.1.9.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:enterprise_data_quality:12.2.1.3.0:*:*:*:*:*:*:*"]},{"vendor_product":"oracle:enterprise_manager_base_platform","source":"CPE_FIELD","extracted_events":[{"last_affected":"13.4.0.0"}],"cpes":["cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*"]},{"vendor_product":"oracle:financial_services_analytical_applications_infrastructure","source":"CPE_FIELD","extracted_events":[{"introduced":"8.0.6"},{"last_affected":"8.1.0"}],"cpes":["cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*"]},{"vendor_product":"oracle:flexcube_core_banking","extracted_events":[{"last_affected":"11.7.0"},{"last_affected":"11.8.0"},{"last_affected":"11.9.0"},{"last_affected":"11.10.0"}],"source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:flexcube_core_banking:11.10.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:flexcube_core_banking:11.7.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:flexcube_core_banking:11.8.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:flexcube_core_banking:11.9.0:*:*:*:*:*:*:*"]},{"vendor_product":"oracle:fusion_middleware","source":"CPE_FIELD","extracted_events":[{"last_affected":"12.2.1.4.0"}],"cpes":["cpe:2.3:a:oracle:fusion_middleware:12.2.1.4.0:*:*:*:*:*:*:*"]},{"cpes":["cpe:2.3:a:oracle:health_sciences_empirica_signal:9.0:*:*:*:*:*:*:*"],"source":"CPE_FIELD","extracted_events":[{"last_affected":"9.0"}],"vendor_product":"oracle:health_sciences_empirica_signal"},{"vendor_product":"oracle:health_sciences_information_manager","source":"CPE_FIELD","extracted_events":[{"last_affected":"3.0.1"}],"cpes":["cpe:2.3:a:oracle:health_sciences_information_manager:3.0.1:*:*:*:*:*:*:*"]},{"cpes":["cpe:2.3:a:oracle:insurance_policy_administration_j2ee:*:*:*:*:*:*:*:*","cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.2.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.2.4:*:*:*:*:*:*:*","cpe:2.3:a:oracle:insurance_policy_administration_j2ee:11.0.2:*:*:*:*:*:*:*"],"source":"CPE_FIELD","extracted_events":[{"introduced":"11.1.0"},{"last_affected":"11.3.0"},{"last_affected":"10.2.0"},{"last_affected":"10.2.4"},{"last_affected":"11.0.2"}],"vendor_product":"oracle:insurance_policy_administration_j2ee"},{"cpes":["cpe:2.3:a:oracle:insurance_rules_palette:*:*:*:*:*:*:*:*","cpe:2.3:a:oracle:insurance_rules_palette:10.2.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:insurance_rules_palette:10.2.4:*:*:*:*:*:*:*","cpe:2.3:a:oracle:insurance_rules_palette:11.0.2:*:*:*:*:*:*:*"],"source":"CPE_FIELD","extracted_events":[{"introduced":"11.1.0"},{"last_affected":"11.3.0"},{"last_affected":"10.2.0"},{"last_affected":"10.2.4"},{"last_affected":"11.0.2"}],"vendor_product":"oracle:insurance_rules_palette"},{"vendor_product":"oracle:jdeveloper","source":"CPE_FIELD","extracted_events":[{"last_affected":"12.2.1.4.0"}],"cpes":["cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:*:*:*:*:*:*:*"]},{"vendor_product":"oracle:primavera_p6_enterprise_project_portfolio_management","source":"CPE_FIELD","extracted_events":[{"introduced":"16.1.0.0"},{"last_affected":"16.2.20.1"},{"introduced":"17.1.0.0"},{"last_affected":"17.12.17.1"},{"introduced":"18.1.0.0"},{"last_affected":"18.8.19.0"},{"introduced":"19.12.0.0"},{"last_affected":"19.12.6.0"}],"cpes":["cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*"]},{"vendor_product":"oracle:rapid_planning","source":"CPE_FIELD","extracted_events":[{"last_affected":"12.1"},{"last_affected":"12.2"}],"cpes":["cpe:2.3:a:oracle:rapid_planning:12.1:*:*:*:*:*:*:*","cpe:2.3:a:oracle:rapid_planning:12.2:*:*:*:*:*:*:*"]},{"cpes":["cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:16.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:17.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:18.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*"],"source":"CPE_FIELD","extracted_events":[{"last_affected":"16.0"},{"last_affected":"17.0"},{"last_affected":"18.0"},{"last_affected":"19.0"}],"vendor_product":"oracle:retail_customer_management_and_segmentation_foundation"},{"vendor_product":"oracle:retail_integration_bus","source":"CPE_FIELD","extracted_events":[{"last_affected":"15.0"},{"last_affected":"16.0"}],"cpes":["cpe:2.3:a:oracle:retail_integration_bus:15.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:retail_integration_bus:16.0:*:*:*:*:*:*:*"]},{"cpes":["cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:retail_order_broker:18.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:retail_order_broker:19.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:retail_order_broker:19.1:*:*:*:*:*:*:*"],"source":"CPE_FIELD","extracted_events":[{"last_affected":"15.0"},{"last_affected":"16.0"},{"last_affected":"18.0"},{"last_affected":"19.0"},{"last_affected":"19.1"}],"vendor_product":"oracle:retail_order_broker"},{"vendor_product":"oracle:retail_price_management","extracted_events":[{"last_affected":"14.0.3"},{"last_affected":"14.1.3.0"},{"last_affected":"15.0.3.0"},{"last_affected":"16.0.3.0"}],"source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:retail_price_management:14.0.3:*:*:*:*:*:*:*","cpe:2.3:a:oracle:retail_price_management:14.1.3.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:retail_price_management:15.0.3.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:retail_price_management:16.0.3.0:*:*:*:*:*:*:*"]},{"cpes":["cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0.4:*:*:*:*:*:*:*","cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:*","cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:*","cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*"],"source":"CPE_FIELD","extracted_events":[{"last_affected":"15.0.4"},{"last_affected":"16.0.6"},{"last_affected":"17.0.4"},{"last_affected":"18.0.3"}],"vendor_product":"oracle:retail_xstore_point_of_service"},{"vendor_product":"oracle:storagetek_tape_analytics_sw_tool","source":"CPE_FIELD","extracted_events":[{"last_affected":"2.3"}],"cpes":["cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3:*:*:*:*:*:*:*"]},{"cpes":["cpe:2.3:a:oracle:utilities_framework:*:*:*:*:*:*:*:*","cpe:2.3:a:oracle:utilities_framework:2.2.0.0.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:utilities_framework:4.2.0.2.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:utilities_framework:4.2.0.3.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:*:*:*:*:*:*:*"],"source":"CPE_FIELD","extracted_events":[{"introduced":"4.3.0.1.0"},{"last_affected":"4.3.0.6.0"},{"last_affected":"2.2.0.0.0"},{"last_affected":"4.2.0.2.0"},{"last_affected":"4.2.0.3.0"},{"last_affected":"4.4.0.0.0"},{"last_affected":"4.4.0.2.0"}],"vendor_product":"oracle:utilities_framework"},{"cpes":["cpe:2.3:a:oracle:webcenter_portal:11.1.1.9.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*"],"source":"CPE_FIELD","extracted_events":[{"last_affected":"11.1.1.9.0"},{"last_affected":"12.2.1.3.0"},{"last_affected":"12.2.1.4.0"}],"vendor_product":"oracle:webcenter_portal"}]},"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8%40%3Cdev.velocity.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32%40%3Cdev.velocity.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51%40%3Cnotifications.freemarker.apache.org%3E"},{"type":"WEB","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html"},{"type":"ADVISORY","url":"https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html"},{"type":"ADVISORY","url":"https://github.com/dom4j/dom4j/issues/87"},{"type":"ADVISORY","url":"https://github.com/dom4j/dom4j/releases/tag/version-2.1.3"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20200518-0002/"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4575-1/"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"type":"FIX","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1694235"},{"type":"FIX","url":"https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658"},{"type":"FIX","url":"https://github.com/dom4j/dom4j/commits/version-2.0.3"},{"type":"FIX","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}