CVE-2020-10683 — dom4j allows External Entities by default which might enable XXE attacks

Description

dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.

How to fix CVE-2020-10683

To remediate CVE-2020-10683, upgrade the affected package to a fixed version below.

—upgrade to 2.1.3-1 or later
—upgrade to 1.6.1+dfsg.3-2+deb8u2 or later
—no fix listed
—upgrade to 2.0.3 or later

Is CVE-2020-10683 being exploited?

Moderate — EPSS is 7.0%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (4)

from 0, < 2.1.3-1
from 0, < 1.6.1+dfsg.3-2+deb8u2
from 0, <= 1.6.1
from 0, < 2.0.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (24)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-10683
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2020-10683
PATCHgithub.com/dom4j/dom4j
WEBlists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html
WEB