[Bugs] [Bug 13516] New: [CVE 21] dom4j 2.0.0 CVEs found
bugzilla
bugzilla на rosalinux.ru
Ср Авг 23 23:19:03 MSK 2023
https://bugzilla.rosalinux.ru/show_bug.cgi?id=13516
Platform: 2021.1
Bug ID: 13516
Summary: [CVE 21] dom4j 2.0.0 CVEs found
Classification: ROSA-based products
Product: ROSA Fresh
Version: All
Hardware: All
URL: CVE-2018-1000632, CVE-2020-10683,
OS: Linux
Status: CONFIRMED
Severity: normal
Priority: Normal
Component: System (kernel, glibc, systemd, bash, PAM...)
Assignee: bugs на lists.rosalinux.ru
Reporter: y.tumanov на rosalinux.ru
QA Contact: bugs на lists.rosalinux.ru
CC: e.kosachev на rosalinux.ru, s.matveev на rosalinux.ru,
y.tumanov на rosalinux.ru
Target Milestone: ---
Flags: secteam_verified?
Please patch CVEs for package dom4j version 2.0.0
INFO (CVEs are): dom4j 2.0.0
cves found
CVE-2018-1000632
Desc: dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection
vulnerability in Class: Element. Methods: addElement, addAttribute that can
result in an attacker tampering with XML documents through XML injection. This
attack appear to be exploitable via an attacker specifying attributes or
elements in the XML document. This vulnerability appears to have been fixed in
2.1.1 or later.
Link: https://nvd.nist.gov/vuln/detail/CVE-2018-1000632
Severity: HIGH
CVE-2020-10683
Desc: dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and
External Entities by default, which might enable XXE attacks. However, there is
popular external documentation from OWASP showing how to enable the safe,
non-default behavior in any application that uses dom4j.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-10683
Severity: CRITICAL
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
----------- следущая часть -----------
Вложение в формате HTML было извлечено…
URL: <http://lists.rosalinux.ru/pipermail/bugs/attachments/20230823/6334f6c7/attachment.html>
Подробная информация о списке рассылки Bugs