7.5

CVE-2018-1000632

Exploit
dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Dom4j ProjectDom4j Version >= 2.0.0 < 2.0.3
Dom4j ProjectDom4j Version >= 2.1.0 < 2.1.1
DebianDebian Linux Version8.0
OraclePrimavera P6 Enterprise Project Portfolio Management Version >= 16.1.0.0 <= 16.2.20.1
OraclePrimavera P6 Enterprise Project Portfolio Management Version >= 17.1.0.0 <= 17.12.17.1
OraclePrimavera P6 Enterprise Project Portfolio Management Version >= 18.1.0.0 <= 18.8.19.0
OraclePrimavera P6 Enterprise Project Portfolio Management Version >= 19.12.0.0 <= 19.12.6.0
OracleRapid Planning Version12.1
OracleRapid Planning Version12.2
OracleRetail Integration Bus Version15.0
OracleRetail Integration Bus Version16.0
OracleUtilities Framework Version >= 4.3.0.2.0 <= 4.3.0.6.0
OracleUtilities Framework Version2.2.0
OracleUtilities Framework Version4.2.0.2.0
OracleUtilities Framework Version4.2.0.3.0
OracleUtilities Framework Version4.4.0.0.0
OracleUtilities Framework Version4.4.0.2
RedhatSatellite Version6.6
RedhatSatellite Capsule Version6.6
RedhatJboss Enterprise Application Platform Version6.0.0
   RedhatEnterprise Linux Version6.0
   RedhatEnterprise Linux Version7.0
RedhatJboss Enterprise Application Platform Version6.4.0
   RedhatEnterprise Linux Version6.0
   RedhatEnterprise Linux Version7.0
RedhatJboss Enterprise Application Platform Version7.1.0
   RedhatEnterprise Linux Version6.0
   RedhatEnterprise Linux Version7.0
NetappSnapcenter Version-
NetappSnapmanager Version- SwPlatformoracle
NetappSnapmanager Version- SwPlatformsap
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 6.57% 0.93
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:N/I:P/A:N
CWE-91 XML Injection (aka Blind XPath Injection)

The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.html
Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html
Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html
https://access.redhat.com/errata/RHSA-2019:1159
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1160
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1161
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1162
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0362
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0364
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0365
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0380
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3172
Third Party Advisory
https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387
Patch
Third Party Advisory
https://github.com/dom4j/dom4j/issues/48
Third Party Advisory
https://ihacktoprotect.com/post/dom4j-xml-injection/
Third Party Advisory
Exploit
https://lists.apache.org/thread.html/00571f362a7a2470fba50a31282c65637c40d2e21ebe6ee535a4ed74%40%3Ccommits.maven.apache.org%3E
https://lists.apache.org/thread.html/4a77652531d62299a30815cf5f233af183425db8e3c9a824a814e768%40%3Cdev.maven.apache.org%3E
https://lists.apache.org/thread.html/5a020ecaa3c701f408f612f7ba2ee37a021644c4a39da2079ed3ddbc%40%3Ccommits.maven.apache.org%3E
https://lists.apache.org/thread.html/7e9e78f0e4288fac6591992836d2a80d4df19161e54bd71ab4b8e458%40%3Cdev.maven.apache.org%3E
https://lists.apache.org/thread.html/7f6e120e6ed473f4e00dde4c398fc6698eb383bd7857d20513e989ce%40%3Cdev.maven.apache.org%3E
https://lists.apache.org/thread.html/9d4c1af6f702c3d6d6f229de57112ddccac8ce44446a01b7937ab9e0%40%3Ccommits.maven.apache.org%3E
https://lists.apache.org/thread.html/d7d960b2778e35ec9b4d40c8efd468c7ce7163bcf6489b633491c89f%40%3Cdev.maven.apache.org%3E
https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51%40%3Cnotifications.freemarker.apache.org%3E
https://lists.debian.org/debian-lts-announce/2018/09/msg00028.html
Third Party Advisory
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IOOVVCRQE6ATFD2JM2EMDXOQXTRIVZGP/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJULAHVR3I5SX7OSMXAG75IMNSAYOXGA/
https://security.netapp.com/advisory/ntap-20190530-0001/
Third Party Advisory