CVE-2018-1000632

HIGHScheduled

Published:Aug 20, 2018(7 years ago)

Modified:Nov 21, 2024

Remote ExploitNo Auth RequiredNo InteractionLow Complexity

Vulnerability Description

dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.

Attack Characteristics

Network AccessLow ComplexityNo Auth NeededNo User Interaction

🤖

AI analysis not yet available

Plain-English explanation, risk summary, and remediation steps will appear here once AI analysis is complete.

No Fix Known

No patch has been released yet. Apply workarounds or mitigations where available.

Affected Software

Vendor	Product	Versions	Fixed In
dom4j_project	dom4j	2.0.0 - 2.0.3	-
dom4j_project	dom4j	2.1.0 - 2.1.1	-
debian	debian_linux	-

Timeline

Published
CVE disclosed publicly
Aug 20, 20187 years ago
Last Modified
Most recent update
Nov 21, 20241 year ago
Indexed to CVEInsight
Added to this platform
Mar 29, 20261 month ago

References

https://lists.apache.org/thread.html/d7d960b2778e35ec9b4d40c8efd468c7c...
https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab...
https://lists.debian.org/debian-lts-announce/2018/09/msg00028.htmlMailing List

CVSS Score

v3.1

7.5/ 10.0

HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

At a Glance

Affected Products

References

dom4j_project / dom4j

https://lists.fedoraproject.org/archives/list/package-announce%40lists...

https://security.netapp.com/advisory/ntap-20190530-0001/Third Party Advisory

https://www.oracle.com/security-alerts/cpuApr2021.html

https://www.oracle.com/security-alerts/cpuapr2020.htmlThird Party Advisory

https://www.oracle.com/security-alerts/cpujul2020.htmlThird Party Advisory

https://www.oracle.com/technetwork/security-advisory/cpujan2019-507280...Patch

https://access.redhat.com/errata/RHSA-2019:0362Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:0364Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:0365Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:0362Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:0364Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:0365Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:0380Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:1159Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:1160Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:1161Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:1162Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:3172Third Party Advisory

https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381...Patch

https://github.com/dom4j/dom4j/issues/48Third Party Advisory

https://ihacktoprotect.com/post/dom4j-xml-injection/Exploit

https://lists.apache.org/thread.html/00571f362a7a2470fba50a31282c65637...

https://lists.apache.org/thread.html/4a77652531d62299a30815cf5f233af18...

https://lists.apache.org/thread.html/5a020ecaa3c701f408f612f7ba2ee37a0...

https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411f...

https://lists.apache.org/thread.html/7e9e78f0e4288fac6591992836d2a80d4...

https://lists.apache.org/thread.html/7f6e120e6ed473f4e00dde4c398fc6698...

https://lists.apache.org/thread.html/9d4c1af6f702c3d6d6f229de57112ddcc...