csaf_opensuse - opensuse-su-2018:4045-1

OPENSUSE-SU-2018:4045-1

Vulnerability from csaf_opensuse - Published: 2018-12-07 18:04 - Updated: 2018-12-07 18:04

Summary

Security update for dom4j

Notes

Title of the patch

Security update for dom4j

Description of the patch

This update for dom4j fixes the following issues: - CVE-2018-1000632: Prevent XML injection that could have resulted in an attacker tampering with XML documents (bsc#1105443). This update was imported from the SUSE:SLE-15:Update update project. This update was imported from the openSUSE:Leap:15.0:Update update project.

Patchnames

openSUSE-2018-1492

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for dom4j",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for dom4j fixes the following issues:\n\n- CVE-2018-1000632: Prevent XML injection that could have resulted in an\n  attacker tampering with XML documents (bsc#1105443).\n\nThis update was imported from the SUSE:SLE-15:Update update project.\nThis update was imported from the openSUSE:Leap:15.0:Update update project.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-2018-1492",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2018_4045-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2018:4045-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5RYPCWEZ3MOAPSZ2627N5DL77DKXKBDQ/#5RYPCWEZ3MOAPSZ2627N5DL77DKXKBDQ"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2018:4045-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5RYPCWEZ3MOAPSZ2627N5DL77DKXKBDQ/#5RYPCWEZ3MOAPSZ2627N5DL77DKXKBDQ"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1105443",
        "url": "https://bugzilla.suse.com/1105443"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2018-1000632 page",
        "url": "https://www.suse.com/security/cve/CVE-2018-1000632/"
      }
    ],
    "title": "Security update for dom4j",
    "tracking": {
      "current_release_date": "2018-12-07T18:04:50Z",
      "generator": {
        "date": "2018-12-07T18:04:50Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2018:4045-1",
      "initial_release_date": "2018-12-07T18:04:50Z",
      "revision_history": [
        {
          "date": "2018-12-07T18:04:50Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "dom4j-1.6.1-bp150.2.3.1.noarch",
                "product": {
                  "name": "dom4j-1.6.1-bp150.2.3.1.noarch",
                  "product_id": "dom4j-1.6.1-bp150.2.3.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "dom4j-demo-1.6.1-bp150.2.3.1.noarch",
                "product": {
                  "name": "dom4j-demo-1.6.1-bp150.2.3.1.noarch",
                  "product_id": "dom4j-demo-1.6.1-bp150.2.3.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "dom4j-javadoc-1.6.1-bp150.2.3.1.noarch",
                "product": {
                  "name": "dom4j-javadoc-1.6.1-bp150.2.3.1.noarch",
                  "product_id": "dom4j-javadoc-1.6.1-bp150.2.3.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "dom4j-manual-1.6.1-bp150.2.3.1.noarch",
                "product": {
                  "name": "dom4j-manual-1.6.1-bp150.2.3.1.noarch",
                  "product_id": "dom4j-manual-1.6.1-bp150.2.3.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Package Hub 15",
                "product": {
                  "name": "SUSE Package Hub 15",
                  "product_id": "SUSE Package Hub 15"
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dom4j-1.6.1-bp150.2.3.1.noarch as component of SUSE Package Hub 15",
          "product_id": "SUSE Package Hub 15:dom4j-1.6.1-bp150.2.3.1.noarch"
        },
        "product_reference": "dom4j-1.6.1-bp150.2.3.1.noarch",
        "relates_to_product_reference": "SUSE Package Hub 15"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dom4j-demo-1.6.1-bp150.2.3.1.noarch as component of SUSE Package Hub 15",
          "product_id": "SUSE Package Hub 15:dom4j-demo-1.6.1-bp150.2.3.1.noarch"
        },
        "product_reference": "dom4j-demo-1.6.1-bp150.2.3.1.noarch",
        "relates_to_product_reference": "SUSE Package Hub 15"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dom4j-javadoc-1.6.1-bp150.2.3.1.noarch as component of SUSE Package Hub 15",
          "product_id": "SUSE Package Hub 15:dom4j-javadoc-1.6.1-bp150.2.3.1.noarch"
        },
        "product_reference": "dom4j-javadoc-1.6.1-bp150.2.3.1.noarch",
        "relates_to_product_reference": "SUSE Package Hub 15"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "dom4j-manual-1.6.1-bp150.2.3.1.noarch as component of SUSE Package Hub 15",
          "product_id": "SUSE Package Hub 15:dom4j-manual-1.6.1-bp150.2.3.1.noarch"
        },
        "product_reference": "dom4j-manual-1.6.1-bp150.2.3.1.noarch",
        "relates_to_product_reference": "SUSE Package Hub 15"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2018-1000632",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2018-1000632"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Package Hub 15:dom4j-1.6.1-bp150.2.3.1.noarch",
          "SUSE Package Hub 15:dom4j-demo-1.6.1-bp150.2.3.1.noarch",
          "SUSE Package Hub 15:dom4j-javadoc-1.6.1-bp150.2.3.1.noarch",
          "SUSE Package Hub 15:dom4j-manual-1.6.1-bp150.2.3.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2018-1000632",
          "url": "https://www.suse.com/security/cve/CVE-2018-1000632"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1105443 for CVE-2018-1000632",
          "url": "https://bugzilla.suse.com/1105443"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Package Hub 15:dom4j-1.6.1-bp150.2.3.1.noarch",
            "SUSE Package Hub 15:dom4j-demo-1.6.1-bp150.2.3.1.noarch",
            "SUSE Package Hub 15:dom4j-javadoc-1.6.1-bp150.2.3.1.noarch",
            "SUSE Package Hub 15:dom4j-manual-1.6.1-bp150.2.3.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.0"
          },
          "products": [
            "SUSE Package Hub 15:dom4j-1.6.1-bp150.2.3.1.noarch",
            "SUSE Package Hub 15:dom4j-demo-1.6.1-bp150.2.3.1.noarch",
            "SUSE Package Hub 15:dom4j-javadoc-1.6.1-bp150.2.3.1.noarch",
            "SUSE Package Hub 15:dom4j-manual-1.6.1-bp150.2.3.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2018-12-07T18:04:50Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2018-1000632"
    }
  ]
}

CVE-2018-1000632 (GCVE-0-2018-1000632)

Vulnerability from cvelistv5 – Published: 2018-08-20 19:00 – Updated: 2024-08-05 12:40

Summary

dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://lists.debian.org/debian-lts-announce/2018…	mailing-listx_refsource_MLIST
	https://access.redhat.com/errata/RHSA-2019:0364	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2019:0362	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2019:0365	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2019:0380	vendor-advisoryx_refsource_REDHAT
	https://lists.apache.org/thread.html/708d94141126…	mailing-listx_refsource_MLIST
	https://access.redhat.com/errata/RHSA-2019:1160	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2019:1162	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2019:1159	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2019:1161	vendor-advisoryx_refsource_REDHAT
	https://lists.apache.org/thread.html/7f6e120e6ed4…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/4a77652531d6…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/5a020ecaa3c7…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/00571f362a7a…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/d7d960b2778e…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/9d4c1af6f702…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/7e9e78f0e428…	mailing-listx_refsource_MLIST
	https://access.redhat.com/errata/RHSA-2019:3172	vendor-advisoryx_refsource_REDHAT
	https://www.oracle.com/security-alerts/cpuapr2020.html	x_refsource_MISC
	https://www.oracle.com/security-alerts/cpujul2020.html	x_refsource_MISC
	https://www.oracle.com/technetwork/security-advis…	x_refsource_CONFIRM
	https://github.com/dom4j/dom4j/issues/48	x_refsource_CONFIRM
	https://github.com/dom4j/dom4j/commit/e598eb43d41…	x_refsource_CONFIRM
	https://ihacktoprotect.com/post/dom4j-xml-injection/	x_refsource_MISC
	https://security.netapp.com/advisory/ntap-2019053…	x_refsource_CONFIRM
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://www.oracle.com/security-alerts/cpuApr2021.html	x_refsource_MISC
	https://lists.apache.org/thread.html/rb1b990d7920…	mailing-listx_refsource_MLIST

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T12:40:47.850Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "[debian-lts-announce] 20180924 [SECURITY] [DLA 1517-1] dom4j security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2018/09/msg00028.html"
          },
          {
            "name": "RHSA-2019:0364",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:0364"
          },
          {
            "name": "RHSA-2019:0362",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:0362"
          },
          {
            "name": "RHSA-2019:0365",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:0365"
          },
          {
            "name": "RHSA-2019:0380",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:0380"
          },
          {
            "name": "[lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E"
          },
          {
            "name": "RHSA-2019:1160",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:1160"
          },
          {
            "name": "RHSA-2019:1162",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:1162"
          },
          {
            "name": "RHSA-2019:1159",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:1159"
          },
          {
            "name": "RHSA-2019:1161",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:1161"
          },
          {
            "name": "[maven-dev] 20190531 proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/7f6e120e6ed473f4e00dde4c398fc6698eb383bd7857d20513e989ce%40%3Cdev.maven.apache.org%3E"
          },
          {
            "name": "[maven-dev] 20190531 Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/4a77652531d62299a30815cf5f233af183425db8e3c9a824a814e768%40%3Cdev.maven.apache.org%3E"
          },
          {
            "name": "[maven-commits] 20190531 [maven-archetype] 01/01: ARCHETYPE-567: switch to dom4j 2.1.1 (and Java 8) dom4j 2.1.1 requires Java 8 dom4j 2.0.2 would retain Java 7 but is vulnerable to CVE-2018-1000632 dom4j 2.0.3 fixes CVE-2018-1000632 but has been pending for ~1 year",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/5a020ecaa3c701f408f612f7ba2ee37a021644c4a39da2079ed3ddbc%40%3Ccommits.maven.apache.org%3E"
          },
          {
            "name": "[maven-commits] 20190601 [maven-archetype] 01/01: ARCHETYPE-567: switch to dom4j 2.1.1 (and Java 8) dom4j 2.1.1 requires Java 8 dom4j 2.0.2 would retain Java 7 but is vulnerable to CVE-2018-1000632 dom4j 2.0.3 fixes CVE-2018-1000632 but has been pending for ~1 year",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/00571f362a7a2470fba50a31282c65637c40d2e21ebe6ee535a4ed74%40%3Ccommits.maven.apache.org%3E"
          },
          {
            "name": "[maven-dev] 20190603 Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/d7d960b2778e35ec9b4d40c8efd468c7ce7163bcf6489b633491c89f%40%3Cdev.maven.apache.org%3E"
          },
          {
            "name": "[maven-commits] 20190604 [maven-archetype] branch master updated: ARCHETYPE-567: switch to dom4j 2.1.1 (and Java 8) dom4j 2.1.1 requires Java 8 dom4j 2.0.2 would retain Java 7 but is vulnerable to CVE-2018-1000632 dom4j 2.0.3 fixes CVE-2018-1000632 but has been pending for ~1 year",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/9d4c1af6f702c3d6d6f229de57112ddccac8ce44446a01b7937ab9e0%40%3Ccommits.maven.apache.org%3E"
          },
          {
            "name": "[maven-dev] 20190610 Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/7e9e78f0e4288fac6591992836d2a80d4df19161e54bd71ab4b8e458%40%3Cdev.maven.apache.org%3E"
          },
          {
            "name": "RHSA-2019:3172",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3172"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/dom4j/dom4j/issues/48"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://ihacktoprotect.com/post/dom4j-xml-injection/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20190530-0001/"
          },
          {
            "name": "FEDORA-2021-f28c870528",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IOOVVCRQE6ATFD2JM2EMDXOQXTRIVZGP/"
          },
          {
            "name": "FEDORA-2021-8015a8cdc4",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJULAHVR3I5SX7OSMXAG75IMNSAYOXGA/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
          },
          {
            "name": "[freemarker-notifications] 20210906 [jira] [Created] (FREEMARKER-190) The jar dom4j has known security issue that Freemarker compiles dependend on it",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51%40%3Cnotifications.freemarker.apache.org%3E"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "dateAssigned": "2018-08-19T00:00:00",
      "datePublic": "2018-07-01T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-09-07T05:06:02",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "[debian-lts-announce] 20180924 [SECURITY] [DLA 1517-1] dom4j security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2018/09/msg00028.html"
        },
        {
          "name": "RHSA-2019:0364",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:0364"
        },
        {
          "name": "RHSA-2019:0362",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:0362"
        },
        {
          "name": "RHSA-2019:0365",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:0365"
        },
        {
          "name": "RHSA-2019:0380",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:0380"
        },
        {
          "name": "[lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E"
        },
        {
          "name": "RHSA-2019:1160",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:1160"
        },
        {
          "name": "RHSA-2019:1162",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:1162"
        },
        {
          "name": "RHSA-2019:1159",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:1159"
        },
        {
          "name": "RHSA-2019:1161",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:1161"
        },
        {
          "name": "[maven-dev] 20190531 proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/7f6e120e6ed473f4e00dde4c398fc6698eb383bd7857d20513e989ce%40%3Cdev.maven.apache.org%3E"
        },
        {
          "name": "[maven-dev] 20190531 Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/4a77652531d62299a30815cf5f233af183425db8e3c9a824a814e768%40%3Cdev.maven.apache.org%3E"
        },
        {
          "name": "[maven-commits] 20190531 [maven-archetype] 01/01: ARCHETYPE-567: switch to dom4j 2.1.1 (and Java 8) dom4j 2.1.1 requires Java 8 dom4j 2.0.2 would retain Java 7 but is vulnerable to CVE-2018-1000632 dom4j 2.0.3 fixes CVE-2018-1000632 but has been pending for ~1 year",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/5a020ecaa3c701f408f612f7ba2ee37a021644c4a39da2079ed3ddbc%40%3Ccommits.maven.apache.org%3E"
        },
        {
          "name": "[maven-commits] 20190601 [maven-archetype] 01/01: ARCHETYPE-567: switch to dom4j 2.1.1 (and Java 8) dom4j 2.1.1 requires Java 8 dom4j 2.0.2 would retain Java 7 but is vulnerable to CVE-2018-1000632 dom4j 2.0.3 fixes CVE-2018-1000632 but has been pending for ~1 year",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/00571f362a7a2470fba50a31282c65637c40d2e21ebe6ee535a4ed74%40%3Ccommits.maven.apache.org%3E"
        },
        {
          "name": "[maven-dev] 20190603 Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/d7d960b2778e35ec9b4d40c8efd468c7ce7163bcf6489b633491c89f%40%3Cdev.maven.apache.org%3E"
        },
        {
          "name": "[maven-commits] 20190604 [maven-archetype] branch master updated: ARCHETYPE-567: switch to dom4j 2.1.1 (and Java 8) dom4j 2.1.1 requires Java 8 dom4j 2.0.2 would retain Java 7 but is vulnerable to CVE-2018-1000632 dom4j 2.0.3 fixes CVE-2018-1000632 but has been pending for ~1 year",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/9d4c1af6f702c3d6d6f229de57112ddccac8ce44446a01b7937ab9e0%40%3Ccommits.maven.apache.org%3E"
        },
        {
          "name": "[maven-dev] 20190610 Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/7e9e78f0e4288fac6591992836d2a80d4df19161e54bd71ab4b8e458%40%3Cdev.maven.apache.org%3E"
        },
        {
          "name": "RHSA-2019:3172",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3172"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/dom4j/dom4j/issues/48"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://ihacktoprotect.com/post/dom4j-xml-injection/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20190530-0001/"
        },
        {
          "name": "FEDORA-2021-f28c870528",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IOOVVCRQE6ATFD2JM2EMDXOQXTRIVZGP/"
        },
        {
          "name": "FEDORA-2021-8015a8cdc4",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJULAHVR3I5SX7OSMXAG75IMNSAYOXGA/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
        },
        {
          "name": "[freemarker-notifications] 20210906 [jira] [Created] (FREEMARKER-190) The jar dom4j has known security issue that Freemarker compiles dependend on it",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51%40%3Cnotifications.freemarker.apache.org%3E"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "DATE_ASSIGNED": "2018-08-19T17:09:33.115822",
          "DATE_REQUESTED": "2018-07-30T13:22:12",
          "ID": "CVE-2018-1000632",
          "REQUESTER": "mario.s.s.areias@gmail.com",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[debian-lts-announce] 20180924 [SECURITY] [DLA 1517-1] dom4j security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2018/09/msg00028.html"
            },
            {
              "name": "RHSA-2019:0364",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:0364"
            },
            {
              "name": "RHSA-2019:0362",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:0362"
            },
            {
              "name": "RHSA-2019:0365",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:0365"
            },
            {
              "name": "RHSA-2019:0380",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:0380"
            },
            {
              "name": "[lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E"
            },
            {
              "name": "RHSA-2019:1160",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:1160"
            },
            {
              "name": "RHSA-2019:1162",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:1162"
            },
            {
              "name": "RHSA-2019:1159",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:1159"
            },
            {
              "name": "RHSA-2019:1161",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:1161"
            },
            {
              "name": "[maven-dev] 20190531 proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/7f6e120e6ed473f4e00dde4c398fc6698eb383bd7857d20513e989ce@%3Cdev.maven.apache.org%3E"
            },
            {
              "name": "[maven-dev] 20190531 Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/4a77652531d62299a30815cf5f233af183425db8e3c9a824a814e768@%3Cdev.maven.apache.org%3E"
            },
            {
              "name": "[maven-commits] 20190531 [maven-archetype] 01/01: ARCHETYPE-567: switch to dom4j 2.1.1 (and Java 8) dom4j 2.1.1 requires Java 8 dom4j 2.0.2 would retain Java 7 but is vulnerable to CVE-2018-1000632 dom4j 2.0.3 fixes CVE-2018-1000632 but has been pending for ~1 year",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/5a020ecaa3c701f408f612f7ba2ee37a021644c4a39da2079ed3ddbc@%3Ccommits.maven.apache.org%3E"
            },
            {
              "name": "[maven-commits] 20190601 [maven-archetype] 01/01: ARCHETYPE-567: switch to dom4j 2.1.1 (and Java 8) dom4j 2.1.1 requires Java 8 dom4j 2.0.2 would retain Java 7 but is vulnerable to CVE-2018-1000632 dom4j 2.0.3 fixes CVE-2018-1000632 but has been pending for ~1 year",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/00571f362a7a2470fba50a31282c65637c40d2e21ebe6ee535a4ed74@%3Ccommits.maven.apache.org%3E"
            },
            {
              "name": "[maven-dev] 20190603 Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/d7d960b2778e35ec9b4d40c8efd468c7ce7163bcf6489b633491c89f@%3Cdev.maven.apache.org%3E"
            },
            {
              "name": "[maven-commits] 20190604 [maven-archetype] branch master updated: ARCHETYPE-567: switch to dom4j 2.1.1 (and Java 8) dom4j 2.1.1 requires Java 8 dom4j 2.0.2 would retain Java 7 but is vulnerable to CVE-2018-1000632 dom4j 2.0.3 fixes CVE-2018-1000632 but has been pending for ~1 year",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/9d4c1af6f702c3d6d6f229de57112ddccac8ce44446a01b7937ab9e0@%3Ccommits.maven.apache.org%3E"
            },
            {
              "name": "[maven-dev] 20190610 Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/7e9e78f0e4288fac6591992836d2a80d4df19161e54bd71ab4b8e458@%3Cdev.maven.apache.org%3E"
            },
            {
              "name": "RHSA-2019:3172",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:3172"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuapr2020.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujul2020.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
            },
            {
              "name": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html",
              "refsource": "CONFIRM",
              "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
            },
            {
              "name": "https://github.com/dom4j/dom4j/issues/48",
              "refsource": "CONFIRM",
              "url": "https://github.com/dom4j/dom4j/issues/48"
            },
            {
              "name": "https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387",
              "refsource": "CONFIRM",
              "url": "https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387"
            },
            {
              "name": "https://ihacktoprotect.com/post/dom4j-xml-injection/",
              "refsource": "MISC",
              "url": "https://ihacktoprotect.com/post/dom4j-xml-injection/"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20190530-0001/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20190530-0001/"
            },
            {
              "name": "FEDORA-2021-f28c870528",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOOVVCRQE6ATFD2JM2EMDXOQXTRIVZGP/"
            },
            {
              "name": "FEDORA-2021-8015a8cdc4",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KJULAHVR3I5SX7OSMXAG75IMNSAYOXGA/"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
            },
            {
              "name": "[freemarker-notifications] 20210906 [jira] [Created] (FREEMARKER-190) The jar dom4j has known security issue that Freemarker compiles dependend on it",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51@%3Cnotifications.freemarker.apache.org%3E"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2018-1000632",
    "datePublished": "2018-08-20T19:00:00",
    "dateReserved": "2018-07-30T00:00:00",
    "dateUpdated": "2024-08-05T12:40:47.850Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

OPENSUSE-SU-2018:4045-1

CVE-2018-1000632 (GCVE-0-2018-1000632)

Tags

Sightings

Nomenclature