Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
0

CVE-2020-10683

Disclosure Date: May 01, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • canonical,
  • dom4j project,
  • netapp,
  • opensuse,
  • oracle

Products

  • agile plm 9.3.3,
  • agile plm 9.3.5,
  • application testing suite 13.3.0.1,
  • banking platform,
  • business process management suite 12.2.1.3.0,
  • business process management suite 12.2.1.4.0,
  • communications application session controller 3.9m0p1,
  • communications diameter signaling router,
  • communications unified inventory management 7.3.0,
  • communications unified inventory management 7.4.0,
  • data integrator 12.2.1.3.0,
  • data integrator 12.2.1.4.0,
  • documaker,
  • dom4j,
  • endeca information discovery integrator 3.2.0,
  • enterprise data quality 11.1.1.9.0,
  • enterprise data quality 12.2.1.3.0,
  • enterprise manager base platform 13.4.0.0,
  • financial services analytical applications infrastructure,
  • flexcube core banking 11.10.0,
  • flexcube core banking 11.7.0,
  • flexcube core banking 11.8.0,
  • flexcube core banking 11.9.0,
  • fusion middleware 12.2.1.4.0,
  • health sciences empirica signal 9.0,
  • health sciences information manager 3.0.1,
  • insurance policy administration j2ee,
  • insurance policy administration j2ee 10.2.0,
  • insurance policy administration j2ee 10.2.4,
  • insurance policy administration j2ee 11.0.2,
  • insurance rules palette,
  • insurance rules palette 10.2.0,
  • insurance rules palette 10.2.4,
  • insurance rules palette 11.0.2,
  • jdeveloper 12.2.1.4.0,
  • leap 15.1,
  • oncommand api services -,
  • oncommand workflow automation -,
  • primavera p6 enterprise project portfolio management,
  • rapid planning 12.1,
  • rapid planning 12.2,
  • retail customer management and segmentation foundation 16.0,
  • retail customer management and segmentation foundation 17.0,
  • retail customer management and segmentation foundation 18.0,
  • retail customer management and segmentation foundation 19.0,
  • retail integration bus 15.0,
  • retail integration bus 16.0,
  • retail order broker 15.0,
  • retail order broker 16.0,
  • retail order broker 18.0,
  • retail order broker 19.0,
  • retail order broker 19.1,
  • retail price management 14.0.3,
  • retail price management 14.1.3.0,
  • retail price management 15.0.3.0,
  • retail price management 16.0.3.0,
  • retail xstore point of service 15.0.4,
  • retail xstore point of service 16.0.6,
  • retail xstore point of service 17.0.4,
  • retail xstore point of service 18.0.3,
  • snap creator framework -,
  • snapcenter -,
  • snapmanager -,
  • storagetek tape analytics sw tool 2.3,
  • ubuntu linux 16.04,
  • utilities framework,
  • utilities framework 2.2.0.0.0,
  • utilities framework 4.2.0.2.0,
  • utilities framework 4.2.0.3.0,
  • utilities framework 4.4.0.0.0,
  • utilities framework 4.4.0.2.0,
  • webcenter portal 11.1.1.9.0,
  • webcenter portal 12.2.1.3.0,
  • webcenter portal 12.2.1.4.0

References

Additional Info

Technical Analysis