7.5
CVE-2018-1000632
- EPSS 6.57%
- Veröffentlicht 20.08.2018 19:31:31
- Zuletzt bearbeitet 21.11.2024 03:40:16
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Dom4j Project ≫ Dom4j Version >= 2.0.0 < 2.0.3
Dom4j Project ≫ Dom4j Version >= 2.1.0 < 2.1.1
Debian ≫ Debian Linux Version8.0
Oracle ≫ Flexcube Investor Servicing Version12.0.4
Oracle ≫ Flexcube Investor Servicing Version12.1.0
Oracle ≫ Flexcube Investor Servicing Version12.3.0
Oracle ≫ Flexcube Investor Servicing Version12.4.0
Oracle ≫ Flexcube Investor Servicing Version14.0.0
Oracle ≫ Primavera P6 Enterprise Project Portfolio Management Version >= 16.1.0.0 <= 16.2.20.1
Oracle ≫ Primavera P6 Enterprise Project Portfolio Management Version >= 17.1.0.0 <= 17.12.17.1
Oracle ≫ Primavera P6 Enterprise Project Portfolio Management Version >= 18.1.0.0 <= 18.8.19.0
Oracle ≫ Primavera P6 Enterprise Project Portfolio Management Version >= 19.12.0.0 <= 19.12.6.0
Oracle ≫ Rapid Planning Version12.1
Oracle ≫ Rapid Planning Version12.2
Oracle ≫ Retail Integration Bus Version15.0
Oracle ≫ Retail Integration Bus Version16.0
Oracle ≫ Utilities Framework Version >= 4.3.0.2.0 <= 4.3.0.6.0
Oracle ≫ Utilities Framework Version2.2.0
Oracle ≫ Utilities Framework Version4.2.0.2.0
Oracle ≫ Utilities Framework Version4.2.0.3.0
Oracle ≫ Utilities Framework Version4.4.0.0.0
Oracle ≫ Utilities Framework Version4.4.0.2
Redhat ≫ Satellite Capsule Version6.6
Redhat ≫ Jboss Enterprise Application Platform Version6.0.0
Redhat ≫ Jboss Enterprise Application Platform Version6.4.0
Redhat ≫ Jboss Enterprise Application Platform Version7.1.0
Redhat ≫ Jboss Enterprise Application Platform Version6.0.0
Redhat ≫ Jboss Enterprise Application Platform Version6.4.0
Netapp ≫ Oncommand Workflow Automation Version-
Netapp ≫ Snap Creator Framework Version-
Netapp ≫ Snapcenter Version-
Netapp ≫ Snapmanager Version- SwPlatformoracle
Netapp ≫ Snapmanager Version- SwPlatformsap
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 6.57% | 0.93 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
|
| nvd@nist.gov | 5 | 10 | 2.9 |
AV:N/AC:L/Au:N/C:N/I:P/A:N
|
CWE-91 XML Injection (aka Blind XPath Injection)
The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.
https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpuApr2021.html
https://access.redhat.com/errata/RHSA-2019:1159
https://access.redhat.com/errata/RHSA-2019:1160
https://access.redhat.com/errata/RHSA-2019:1161
https://access.redhat.com/errata/RHSA-2019:1162
https://access.redhat.com/errata/RHSA-2019:0362
https://access.redhat.com/errata/RHSA-2019:0364
https://access.redhat.com/errata/RHSA-2019:0365
https://access.redhat.com/errata/RHSA-2019:0380
https://access.redhat.com/errata/RHSA-2019:3172
https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387
https://github.com/dom4j/dom4j/issues/48
https://ihacktoprotect.com/post/dom4j-xml-injection/
https://lists.apache.org/thread.html/00571f362a7a2470fba50a31282c65637c40d2e21ebe6ee535a4ed74%40%3Ccommits.maven.apache.org%3E
https://lists.apache.org/thread.html/4a77652531d62299a30815cf5f233af183425db8e3c9a824a814e768%40%3Cdev.maven.apache.org%3E
https://lists.apache.org/thread.html/5a020ecaa3c701f408f612f7ba2ee37a021644c4a39da2079ed3ddbc%40%3Ccommits.maven.apache.org%3E
https://lists.apache.org/thread.html/7e9e78f0e4288fac6591992836d2a80d4df19161e54bd71ab4b8e458%40%3Cdev.maven.apache.org%3E
https://lists.apache.org/thread.html/7f6e120e6ed473f4e00dde4c398fc6698eb383bd7857d20513e989ce%40%3Cdev.maven.apache.org%3E
https://lists.apache.org/thread.html/9d4c1af6f702c3d6d6f229de57112ddccac8ce44446a01b7937ab9e0%40%3Ccommits.maven.apache.org%3E
https://lists.apache.org/thread.html/d7d960b2778e35ec9b4d40c8efd468c7ce7163bcf6489b633491c89f%40%3Cdev.maven.apache.org%3E
https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51%40%3Cnotifications.freemarker.apache.org%3E
https://lists.debian.org/debian-lts-announce/2018/09/msg00028.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IOOVVCRQE6ATFD2JM2EMDXOQXTRIVZGP/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJULAHVR3I5SX7OSMXAG75IMNSAYOXGA/
https://security.netapp.com/advisory/ntap-20190530-0001/