1. Home
  2. Security Advisories
  3. Maven
  4. MAVEN:GHSA-6PCC-3RFX-4GPM

[MAVEN:GHSA-6PCC-3RFX-4GPM] Dom4j contains a XML Injection vulnerability

Severity High
Affected Packages 3
Fixed Packages 2
CVEs 1
Info Packages References Vulnerabilities

dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.

Note: This advisory applies to dom4j:dom4j version 1.x legacy artifacts. To resolve this a change to the latest version of org.dom4j:dom4j is recommended.

Package Affected Version
pkg:maven/org.dom4j/dom4j = 2.1.0
pkg:maven/org.dom4j/dom4j < 2.0.3
pkg:maven/dom4j/dom4j <= 1.6.1
Package Fixed Version
pkg:maven/org.dom4j/dom4j = 2.1.1
pkg:maven/org.dom4j/dom4j = 2.0.3
ID
MAVEN:GHSA-6PCC-3RFX-4GPM
Severity
high
URL
https://github.com/advisories/GHSA-6pcc-3rfx-4gpm
Published
2018-10-16T17:01:25
(6 years ago)
Modified
2023-02-01T05:03:22
(19 months ago)
Rights
Maven Security Team
Other Advisories
Source # ID Name URL
https://nvd.nist.gov/vuln/detail/CVE-2018-1000632
https://github.com/dom4j/dom4j/issues/48
https://github.com/dom4j/dom4j/commit/c2a99d7dee8ce7a4e5bef134bb781a6672bd8a0f
https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387
https://github.com/advisories/GHSA-6pcc-3rfx-4gpm
https://ihacktoprotect.com/post/dom4j-xml-injection/
https://access.redhat.com/errata/RHSA-2019:0362
https://access.redhat.com/errata/RHSA-2019:0364
https://access.redhat.com/errata/RHSA-2019:0365
https://access.redhat.com/errata/RHSA-2019:0380
https://access.redhat.com/errata/RHSA-2019:1159
https://access.redhat.com/errata/RHSA-2019:1160
https://access.redhat.com/errata/RHSA-2019:1161
https://access.redhat.com/errata/RHSA-2019:1162
https://access.redhat.com/errata/RHSA-2019:3172
https://lists.apache.org/thread.html/00571f362a7a2470fba50a31282c65637c40d2e21ebe6ee535a4ed74@%3Ccommits.maven.apache.org%3E
https://lists.apache.org/thread.html/4a77652531d62299a30815cf5f233af183425db8e3c9a824a814e768@%3Cdev.maven.apache.org%3E
https://lists.apache.org/thread.html/5a020ecaa3c701f408f612f7ba2ee37a021644c4a39da2079ed3ddbc@%3Ccommits.maven.apache.org%3E
https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E
https://lists.apache.org/thread.html/7e9e78f0e4288fac6591992836d2a80d4df19161e54bd71ab4b8e458@%3Cdev.maven.apache.org%3E
https://lists.apache.org/thread.html/7f6e120e6ed473f4e00dde4c398fc6698eb383bd7857d20513e989ce@%3Cdev.maven.apache.org%3E
https://lists.apache.org/thread.html/9d4c1af6f702c3d6d6f229de57112ddccac8ce44446a01b7937ab9e0@%3Ccommits.maven.apache.org%3E
https://lists.apache.org/thread.html/d7d960b2778e35ec9b4d40c8efd468c7ce7163bcf6489b633491c89f@%3Cdev.maven.apache.org%3E
https://lists.debian.org/debian-lts-announce/2018/09/msg00028.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOOVVCRQE6ATFD2JM2EMDXOQXTRIVZGP/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KJULAHVR3I5SX7OSMXAG75IMNSAYOXGA/
https://security.netapp.com/advisory/ntap-20190530-0001/
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51@%3Cnotifications.freemarker.apache.org%3E
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.dom4j/dom4j org.dom4j dom4j = 2.1.0
Fixed pkg:maven/org.dom4j/dom4j org.dom4j dom4j = 2.1.1
Affected pkg:maven/org.dom4j/dom4j org.dom4j dom4j < 2.0.3
Fixed pkg:maven/org.dom4j/dom4j org.dom4j dom4j = 2.0.3
Affected pkg:maven/dom4j/dom4j dom4j dom4j <= 1.6.1
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date