1. Home
  2. Vulnerabilities
  3. CVE-2020-10683

CVE-2020-10683

CVSS v3.1 9.8 (Critical)
98% Progress
CVSS v2.0 7.5 (High)
75% Progress
EPSS 0.66 % (80th)
0.66% Progress
Affected Products 38
Advisories 5
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software OVAL Tools, Exploits & PoC Graph Web & Social Timeline

dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.

Weaknesses
CWE-611
Improper Restriction of XML External Entity Reference
CVE Status
PUBLISHED
CNA
MITRE
Published Date
2020-05-01 19:15:12
(4 years ago)
Updated Date
2023-11-07 03:14:11
(10 months ago)

Affected Products

Canonical

Dom4j Project

Netapp

Opensuse

Oracle

Configuration #1

    CPE23 From Up To
  Dom4j Project Dom4j prior 2.0.3 version cpe:2.3:a:dom4j_project:dom4j < 2.0.3
  Dom4j Project Dom4j from 2.1.0 version and prior 2.1.3 version cpe:2.3:a:dom4j_project:dom4j >= 2.1.0 < 2.1.3

Configuration #2

    CPE23 From Up To
  Oracle Agile Plm 9.3.3 cpe:2.3:a:oracle:agile_plm:9.3.3
  Oracle Agile Plm 9.3.5 cpe:2.3:a:oracle:agile_plm:9.3.5
  Oracle Application Testing Suite 13.3.0.1 cpe:2.3:a:oracle:application_testing_suite:13.3.0.1
  Oracle Banking Platform from 2.4.0 version and 2.10.0 and prior versions cpe:2.3:a:oracle:banking_platform >= 2.4.0 <= 2.10.0
  Oracle Business Process Management Suite 12.2.1.3.0 cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0
  Oracle Business Process Management Suite 12.2.1.4.0 cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0
  Oracle Communications Application Session Controller 3.9m0p1 cpe:2.3:a:oracle:communications_application_session_controller:3.9m0p1
  Oracle Communications Diameter Signaling Router from 8.0.0 version and 8.2.2 and prior versions cpe:2.3:a:oracle:communications_diameter_signaling_router >= 8.0.0 <= 8.2.2
  Oracle Communications Unified Inventory Management 7.3.0 cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.0
  Oracle Communications Unified Inventory Management 7.4.0 cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0
  Oracle Data Integrator 12.2.1.3.0 cpe:2.3:a:oracle:data_integrator:12.2.1.3.0
  Oracle Data Integrator 12.2.1.4.0 cpe:2.3:a:oracle:data_integrator:12.2.1.4.0
  Oracle Documaker from 12.6.0 version and 12.6.4 and prior versions cpe:2.3:a:oracle:documaker >= 12.6.0 <= 12.6.4
  Oracle Endeca Information Discovery Integrator 3.2.0 cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.2.0
  Oracle Enterprise Data Quality 11.1.1.9.0 cpe:2.3:a:oracle:enterprise_data_quality:11.1.1.9.0
  Oracle Enterprise Data Quality 12.2.1.3.0 cpe:2.3:a:oracle:enterprise_data_quality:12.2.1.3.0
  Oracle Enterprise Manager Base Platform 13.4.0.0 cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0
  Oracle Financial Services Analytical Applications Infrastructure from 8.0.6 version and 8.1.0 and prior versions cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure >= 8.0.6 <= 8.1.0
  Oracle Flexcube Core Banking 11.7.0 cpe:2.3:a:oracle:flexcube_core_banking:11.7.0
  Oracle Flexcube Core Banking 11.8.0 cpe:2.3:a:oracle:flexcube_core_banking:11.8.0
  Oracle Flexcube Core Banking 11.9.0 cpe:2.3:a:oracle:flexcube_core_banking:11.9.0
  Oracle Flexcube Core Banking 11.10.0 cpe:2.3:a:oracle:flexcube_core_banking:11.10.0
  Oracle Fusion Middleware 12.2.1.4.0 cpe:2.3:a:oracle:fusion_middleware:12.2.1.4.0
  Oracle Health Sciences Empirica Signal 9.0 cpe:2.3:a:oracle:health_sciences_empirica_signal:9.0
  Oracle Health Sciences Information Manager 3.0.1 cpe:2.3:a:oracle:health_sciences_information_manager:3.0.1
  Oracle Insurance Policy Administration J2ee from 11.1.0 version and 11.3.0 and prior versions cpe:2.3:a:oracle:insurance_policy_administration_j2ee >= 11.1.0 <= 11.3.0
  Oracle Insurance Policy Administration J2ee 10.2.0 cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.2.0
  Oracle Insurance Policy Administration J2ee 10.2.4 cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.2.4
  Oracle Insurance Policy Administration J2ee 11.0.2 cpe:2.3:a:oracle:insurance_policy_administration_j2ee:11.0.2
  Oracle Insurance Rules Palette from 11.1.0 version and 11.3.0 and prior versions cpe:2.3:a:oracle:insurance_rules_palette >= 11.1.0 <= 11.3.0
  Oracle Insurance Rules Palette 10.2.0 cpe:2.3:a:oracle:insurance_rules_palette:10.2.0
  Oracle Insurance Rules Palette 10.2.4 cpe:2.3:a:oracle:insurance_rules_palette:10.2.4
  Oracle Insurance Rules Palette 11.0.2 cpe:2.3:a:oracle:insurance_rules_palette:11.0.2
  Oracle Jdeveloper 12.2.1.4.0 cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0
  Oracle Primavera P6 Enterprise Project Portfolio Management from 16.1.0.0 version and 16.2.20.1 and prior versions cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management >= 16.1.0.0 <= 16.2.20.1
  Oracle Primavera P6 Enterprise Project Portfolio Management from 17.1.0.0 version and 17.12.17.1 and prior versions cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management >= 17.1.0.0 <= 17.12.17.1
  Oracle Primavera P6 Enterprise Project Portfolio Management from 18.1.0.0 version and 18.8.19.0 and prior versions cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management >= 18.1.0.0 <= 18.8.19.0
  Oracle Primavera P6 Enterprise Project Portfolio Management from 19.12.0.0 version and 19.12.6.0 and prior versions cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management >= 19.12.0.0 <= 19.12.6.0
  Oracle Rapid Planning 12.1 cpe:2.3:a:oracle:rapid_planning:12.1
  Oracle Rapid Planning 12.2 cpe:2.3:a:oracle:rapid_planning:12.2
  Oracle Retail Customer Management And Segmentation Foundation 16.0 cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:16.0
  Oracle Retail Customer Management And Segmentation Foundation 17.0 cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:17.0
  Oracle Retail Customer Management And Segmentation Foundation 18.0 cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:18.0
  Oracle Retail Customer Management And Segmentation Foundation 19.0 cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0
  Oracle Retail Integration Bus 15.0 cpe:2.3:a:oracle:retail_integration_bus:15.0
  Oracle Retail Integration Bus 16.0 cpe:2.3:a:oracle:retail_integration_bus:16.0
  Oracle Retail Order Broker 15.0 cpe:2.3:a:oracle:retail_order_broker:15.0
  Oracle Retail Order Broker 16.0 cpe:2.3:a:oracle:retail_order_broker:16.0
  Oracle Retail Order Broker 18.0 cpe:2.3:a:oracle:retail_order_broker:18.0
  Oracle Retail Order Broker 19.0 cpe:2.3:a:oracle:retail_order_broker:19.0
  Oracle Retail Order Broker 19.1 cpe:2.3:a:oracle:retail_order_broker:19.1
  Oracle Retail Price Management 14.0.3 cpe:2.3:a:oracle:retail_price_management:14.0.3
  Oracle Retail Price Management 14.1.3.0 cpe:2.3:a:oracle:retail_price_management:14.1.3.0
  Oracle Retail Price Management 15.0.3.0 cpe:2.3:a:oracle:retail_price_management:15.0.3.0
  Oracle Retail Price Management 16.0.3.0 cpe:2.3:a:oracle:retail_price_management:16.0.3.0
  Oracle Retail Xstore Point Of Service 15.0.4 cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0.4
  Oracle Retail Xstore Point Of Service 16.0.6 cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6
  Oracle Retail Xstore Point Of Service 17.0.4 cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4
  Oracle Retail Xstore Point Of Service 18.0.3 cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3
  Oracle Storagetek Tape Analytics Sw Tool 2.3 cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3
  Oracle Utilities Framework from 4.3.0.1.0 version and 4.3.0.6.0 and prior versions cpe:2.3:a:oracle:utilities_framework >= 4.3.0.1.0 <= 4.3.0.6.0
  Oracle Utilities Framework 2.2.0.0.0 cpe:2.3:a:oracle:utilities_framework:2.2.0.0.0
  Oracle Utilities Framework 4.2.0.2.0 cpe:2.3:a:oracle:utilities_framework:4.2.0.2.0
  Oracle Utilities Framework 4.2.0.3.0 cpe:2.3:a:oracle:utilities_framework:4.2.0.3.0
  Oracle Utilities Framework 4.4.0.0.0 cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0
  Oracle Utilities Framework 4.4.0.2.0 cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0
  Oracle Webcenter Portal 11.1.1.9.0 cpe:2.3:a:oracle:webcenter_portal:11.1.1.9.0
  Oracle Webcenter Portal 12.2.1.3.0 cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0
  Oracle Webcenter Portal 12.2.1.4.0 cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0

Configuration #3

    CPE23 From Up To
  Opensuse Leap 15.1 cpe:2.3:o:opensuse:leap:15.1

Configuration #4

    CPE23 From Up To
  Netapp Oncommand Api Services cpe:2.3:a:netapp:oncommand_api_services:-
  Netapp Oncommand Workflow Automation cpe:2.3:a:netapp:oncommand_workflow_automation:-
  Netapp Snap Creator Framework cpe:2.3:a:netapp:snap_creator_framework:-
  Netapp Snapcenter cpe:2.3:a:netapp:snapcenter:-
  Netapp Snapmanager for Oracle cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:oracle
  Netapp Snapmanager for Sap cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:sap

Configuration #5

    CPE23 From Up To
  Canonical Ubuntu Linux 16.04 cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm