CVE-2020-10683

Name of the Vulnerable Software and Affected Versions dom4j versions 1.x and 2.0.x through 2.1.2 dom4j version 2.1.x before 2.1.3

Description The issue is related to the incorrect restriction of XML links to external objects in the dom4j library, which might enable XXE attacks. This could allow a remote attacker to gain unauthorized access to protected information. The library allows external DTDs and External Entities by default. However, there is external documentation from OWASP that shows how to enable safe, non-default behavior in any application that uses dom4j.

Recommendations For dom4j versions 1.x, change to the latest version of org.dom4j:dom4j. For dom4j versions 2.0.x through 2.1.2, update to version 2.1.3 or later. As a temporary workaround, consider disabling the use of external DTDs and External Entities in dom4j until a patch is available. Restrict access to the new org.dom4j.io.SAXReader() function to minimize the risk of exploitation.