<html>

    <head>

      <base href="https://bugzilla.rosalinux.ru/">

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Platform</th>

          <td>2021.1

          </td>

        </tr>

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_CONFIRMED "

   title="CONFIRMED - [CVE 21] dom4j 2.0.0 CVEs found"

   href="https://bugzilla.rosalinux.ru/show_bug.cgi?id=13516">13516</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>[CVE 21] dom4j 2.0.0  CVEs found

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>ROSA-based products

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>ROSA Fresh

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>URL</th>

          <td>CVE-2018-1000632, CVE-2020-10683,

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Linux

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>CONFIRMED

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>Normal

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>System (kernel, glibc, systemd, bash, PAM...)

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>bugs&#64;lists.rosalinux.ru

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>y.tumanov&#64;rosalinux.ru

          </td>

        </tr>

        <tr>

          <th>QA Contact</th>

          <td>bugs&#64;lists.rosalinux.ru

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>e.kosachev&#64;rosalinux.ru, s.matveev&#64;rosalinux.ru, y.tumanov&#64;rosalinux.ru

          </td>

        </tr>

        <tr>

          <th>Target Milestone</th>

          <td>---

          </td>

        </tr>

        <tr>

          <th>Flags</th>

          <td>secteam_verified?

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Please patch CVEs for package dom4j version 2.0.0

INFO (CVEs are): dom4j 2.0.0

 cves found

CVE-2018-1000632

Desc: dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection

vulnerability in Class: Element. Methods: addElement, addAttribute that can

result in an attacker tampering with XML documents through XML injection. This

attack appear to be exploitable via an attacker specifying attributes or

elements in the XML document. This vulnerability appears to have been fixed in

2.1.1 or later.

Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2018-1000632">https://nvd.nist.gov/vuln/detail/CVE-2018-1000632</a>

Severity: HIGH

CVE-2020-10683

Desc: dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and

External Entities by default, which might enable XXE attacks. However, there is

popular external documentation from OWASP showing how to enable the safe,

non-default behavior in any application that uses dom4j.

Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-10683">https://nvd.nist.gov/vuln/detail/CVE-2020-10683</a>

Severity: CRITICAL</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are the QA Contact for the bug.</li>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>