CVE-2020-10683
📋 TL;DR
This vulnerability in dom4j XML parser allows XML External Entity (XXE) attacks by default, enabling attackers to read arbitrary files, perform server-side request forgery, or cause denial of service. It affects applications using dom4j versions before 2.0.3 or 2.1.x before 2.1.3 that process untrusted XML input. The high CVSS score reflects the potential for complete system compromise.
💻 Affected Systems
- dom4j
- Applications using dom4j library
📦 What is this software?
Agile Plm by Oracle
Agile Plm by Oracle
Business Process Management Suite by Oracle
Business Process Management Suite by Oracle
Communications Application Session Controller by Oracle
View all CVEs affecting Communications Application Session Controller →
Communications Diameter Signaling Router by Oracle
View all CVEs affecting Communications Diameter Signaling Router →
Communications Unified Inventory Management by Oracle
View all CVEs affecting Communications Unified Inventory Management →
Communications Unified Inventory Management by Oracle
View all CVEs affecting Communications Unified Inventory Management →
Documaker by Oracle
Dom4j by Dom4j Project
Dom4j by Dom4j Project
Endeca Information Discovery Integrator by Oracle
View all CVEs affecting Endeca Information Discovery Integrator →
Enterprise Manager Base Platform by Oracle
Financial Services Analytical Applications Infrastructure by Oracle
View all CVEs affecting Financial Services Analytical Applications Infrastructure →
Health Sciences Information Manager by Oracle
View all CVEs affecting Health Sciences Information Manager →
Insurance Policy Administration J2ee by Oracle
View all CVEs affecting Insurance Policy Administration J2ee →
Insurance Policy Administration J2ee by Oracle
View all CVEs affecting Insurance Policy Administration J2ee →
Insurance Policy Administration J2ee by Oracle
View all CVEs affecting Insurance Policy Administration J2ee →
Insurance Policy Administration J2ee by Oracle
View all CVEs affecting Insurance Policy Administration J2ee →
Leap by Opensuse
Primavera P6 Enterprise Project Portfolio Management by Oracle
View all CVEs affecting Primavera P6 Enterprise Project Portfolio Management →
Primavera P6 Enterprise Project Portfolio Management by Oracle
View all CVEs affecting Primavera P6 Enterprise Project Portfolio Management →
Primavera P6 Enterprise Project Portfolio Management by Oracle
View all CVEs affecting Primavera P6 Enterprise Project Portfolio Management →
Primavera P6 Enterprise Project Portfolio Management by Oracle
View all CVEs affecting Primavera P6 Enterprise Project Portfolio Management →
Retail Customer Management And Segmentation Foundation by Oracle
View all CVEs affecting Retail Customer Management And Segmentation Foundation →
Retail Customer Management And Segmentation Foundation by Oracle
View all CVEs affecting Retail Customer Management And Segmentation Foundation →
Retail Customer Management And Segmentation Foundation by Oracle
View all CVEs affecting Retail Customer Management And Segmentation Foundation →
Retail Customer Management And Segmentation Foundation by Oracle
View all CVEs affecting Retail Customer Management And Segmentation Foundation →
Storagetek Tape Analytics Sw Tool by Oracle
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via file disclosure, SSRF leading to internal network access, or denial of service through entity expansion attacks.
Likely Case
Arbitrary file read from the server filesystem, potentially exposing sensitive configuration files, credentials, or application source code.
If Mitigated
No impact if proper XXE prevention is implemented via secure parser configuration or input validation.
🎯 Exploit Status
XXE attacks are well-documented with public exploit examples. Exploitation requires the application to process attacker-controlled XML.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: dom4j 2.0.3 or 2.1.3
Vendor Advisory: https://github.com/dom4j/dom4j/commits/version-2.0.3
Restart Required: Yes
Instructions:
1. Update dom4j dependency to version 2.0.3 or 2.1.3. 2. Update pom.xml or build.gradle with new version. 3. Rebuild and redeploy application. 4. Restart application server.
🔧 Temporary Workarounds
Configure SAXReader for XXE prevention
allManually configure dom4j SAXReader to disable external entities and DTDs
SAXReader reader = new SAXReader();
reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
🧯 If You Can't Patch
- Implement XML input validation to reject XML containing DOCTYPE declarations
- Use XML schema validation to restrict allowed XML structures and prevent XXE payloads
🔍 How to Verify
Check if Vulnerable:
Check application dependencies for dom4j versions before 2.0.3 or 2.1.x before 2.1.3Check Version:
mvn dependency:tree | grep dom4j OR gradle dependencies | grep dom4jVerify Fix Applied:
Verify dom4j version is 2.0.3 or higher, or 2.1.3 or higher for 2.1.x branch📡 Detection & Monitoring
Log Indicators:
- XML parsing errors mentioning external entities
- Unexpected file read operations during XML processing
- HTTP requests to internal resources triggered by XML parsing
Network Indicators:
- Outbound HTTP requests from application server during XML processing
- DNS requests for external entities defined in XML
SIEM Query:
source="application.logs" AND ("DOCTYPE" OR "ENTITY" OR "SYSTEM") AND "xml"🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1694235
- https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
- https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658
- https://github.com/dom4j/dom4j/commits/version-2.0.3
- https://github.com/dom4j/dom4j/issues/87
- https://github.com/dom4j/dom4j/releases/tag/version-2.1.3
- https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8%40%3Cdev.velocity.apache.org%3E
- https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32%40%3Cdev.velocity.apache.org%3E
- https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51%40%3Cnotifications.freemarker.apache.org%3E
- https://security.netapp.com/advisory/ntap-20200518-0002/
- https://usn.ubuntu.com/4575-1/
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1694235
- https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
- https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658
- https://github.com/dom4j/dom4j/commits/version-2.0.3
- https://github.com/dom4j/dom4j/issues/87
- https://github.com/dom4j/dom4j/releases/tag/version-2.1.3
- https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8%40%3Cdev.velocity.apache.org%3E
- https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32%40%3Cdev.velocity.apache.org%3E
- https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51%40%3Cnotifications.freemarker.apache.org%3E
- https://security.netapp.com/advisory/ntap-20200518-0002/
- https://usn.ubuntu.com/4575-1/
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
