Bug 13704

Summary: [CVE 21] dom4j 2.0.0 CVEs found
Product: [ROSA-based products] ROSA Fresh Reporter: Yury <y.tumanov>
Component: System (kernel, glibc, systemd, bash, PAM...)Assignee: ROSA Linux Bugs <bugs>
Status: RESOLVED DUPLICATE QA Contact: ROSA Linux Bugs <bugs>
Severity: normal    
Priority: Normal CC: e.kosachev, s.matveev, v.potapov, y.tumanov
Version: All   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: CVE-2018-1000632, CVE-2020-10683,
Whiteboard:
Platform: 2021.1 ROSA Vulnerability identifier:
RPM Package: ISO-related:
Bad POT generating: Upstream:

Description Yury 2023-10-18 20:00:22 MSK 
Please patch CVEs for package dom4j version 2.0.0
  
INFO (CVEs are): dom4j 2.0.0
 cves found
CVE-2018-1000632
Desc: dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.
Link: https://nvd.nist.gov/vuln/detail/CVE-2018-1000632
Severity: HIGH
CVE-2020-10683
Desc: dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-10683
Severity: CRITICAL
Comment 1 Vladimir Potapov 2023-10-20 12:45:26 MSK 

*** This bug has been marked as a duplicate of bug 13836 ***