CVE-2018-1000632

Beschreibung:
dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.

CWE: CWE-91 CWE-915

CVSS-Bewertung
CVSS 2: MEDIUM – 5 (Version: 2.0)
CVSS 3: HIGH – 7.5 (Version: 3.1)

Links:

NVD – CVE-2018-1000632
CVE – CVE-2018-1000632

Link (max. 20) Quelle Tags
https://ihacktoprotect.com/post/dom4j-xml-injection/ MISC Exploit Third Party Advisory Third Party Advisory
https://github.com/dom4j/dom4j/issues/48 CONFIRM Third Party Advisory Third Party Advisory
https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387 CONFIRM Patch Third Party Advisory
[debian-lts-announce] 20180924 [SECURITY] [DLA 1517-1] dom4j security update MLIST Mailing List Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html CONFIRM Patch Third Party Advisory
RHSA-2019:0365 REDHAT Third Party Advisory Third Party Advisory
RHSA-2019:0364 REDHAT Third Party Advisory Third Party Advisory
RHSA-2019:0362 REDHAT Third Party Advisory Third Party Advisory
RHSA-2019:0380 REDHAT Third Party Advisory Patch Third Party Advisory
RHSA-2019:1162 REDHAT Third Party Advisory Patch Third Party Advisory
RHSA-2019:1161 REDHAT Third Party Advisory Third Party Advisory
RHSA-2019:1160 REDHAT Third Party Advisory
RHSA-2019:1159 REDHAT Third Party Advisory
https://security.netapp.com/advisory/ntap-20190530-0001/ CONFIRM Third Party Advisory
[maven-dev] 20190531 proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8) MLIST Mailing List Third Party Advisory
[maven-dev] 20190531 Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8) MLIST Mailing List Third Party Advisory
[maven-commits] 20190531 [maven-archetype] 01/01: ARCHETYPE-567: switch to dom4j 2.1.1 (and Java 8) dom4j 2.1.1 requires Java 8 dom4j 2.0.2 would retain Java 7 but is vulnerable to CVE-2018-1000632 dom4j 2.0.3 fixes CVE-2018-1000632 but has been pending for ~1 year MLIST Mailing List Patch Third Party Advisory
[maven-commits] 20190601 [maven-archetype] 01/01: ARCHETYPE-567: switch to dom4j 2.1.1 (and Java 8) dom4j 2.1.1 requires Java 8 dom4j 2.0.2 would retain Java 7 but is vulnerable to CVE-2018-1000632 dom4j 2.0.3 fixes CVE-2018-1000632 but has been pending for ~1 year MLIST Mailing List Patch Third Party Advisory
[maven-dev] 20190603 Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8) MLIST Mailing List Third Party Advisory
[maven-commits] 20190604 [maven-archetype] branch master updated: ARCHETYPE-567: switch to dom4j 2.1.1 (and Java 8) dom4j 2.1.1 requires Java 8 dom4j 2.0.2 would retain Java 7 but is vulnerable to CVE-2018-1000632 dom4j 2.0.3 fixes CVE-2018-1000632 but has been pending for ~1 year MLIST Mailing List Patch Third Party Advisory

Quelle: NVD – CVE-2018-1000632
Datum Veröffentlichung: 2018-08-20T19:31Z, Datum letzte Änderung: 2021-05-12T18:15Z