CVE-2018-1000632

Exploit

EPSS 1%
Published 20.08.2018 19:31:31
Last modified 21.11.2024 03:40:16
Source cve@mitre.org
Teams watchlist Login
Open Login

dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.

Affected products Warnungen 0 Metrics 3 CWE 1 References 32

Data is provided by the National Vulnerability Database (NVD)

Dom4j Project ≫ Dom4j Version >= 2.0.0 < 2.0.3

Dom4j Project ≫ Dom4j Version >= 2.1.0 < 2.1.1

Debian ≫ Debian Linux Version8.0

Oracle ≫ Flexcube Investor Servicing Version12.0.4

Oracle ≫ Flexcube Investor Servicing Version12.1.0

Oracle ≫ Flexcube Investor Servicing Version12.3.0

Oracle ≫ Flexcube Investor Servicing Version12.4.0

Oracle ≫ Flexcube Investor Servicing Version14.0.0

Oracle ≫ Primavera P6 Enterprise Project Portfolio Management Version >= 16.1.0.0 <= 16.2.20.1

Oracle ≫ Primavera P6 Enterprise Project Portfolio Management Version >= 17.1.0.0 <= 17.12.17.1

Oracle ≫ Primavera P6 Enterprise Project Portfolio Management Version >= 18.1.0.0 <= 18.8.19.0

Oracle ≫ Primavera P6 Enterprise Project Portfolio Management Version >= 19.12.0.0 <= 19.12.6.0

Oracle ≫ Rapid Planning Version12.1

Oracle ≫ Rapid Planning Version12.2

Oracle ≫ Retail Integration Bus Version15.0

Oracle ≫ Retail Integration Bus Version16.0

Oracle ≫ Utilities Framework Version >= 4.3.0.2.0 <= 4.3.0.6.0

Oracle ≫ Utilities Framework Version2.2.0

Oracle ≫ Utilities Framework Version4.2.0.2.0

Oracle ≫ Utilities Framework Version4.2.0.3.0

Oracle ≫ Utilities Framework Version4.4.0.0.0

Oracle ≫ Utilities Framework Version4.4.0.2

Redhat ≫ Satellite Version6.6

Redhat ≫ Satellite Capsule Version6.6

Redhat ≫ Jboss Enterprise Application Platform Version6.0.0

Redhat ≫ Enterprise Linux Version6.0
Redhat ≫ Enterprise Linux Version7.0

Redhat ≫ Jboss Enterprise Application Platform Version6.4.0

Redhat ≫ Enterprise Linux Version6.0
Redhat ≫ Enterprise Linux Version7.0

Redhat ≫ Jboss Enterprise Application Platform Version7.1.0

Redhat ≫ Enterprise Linux Version6.0
Redhat ≫ Enterprise Linux Version7.0

Redhat ≫ Jboss Enterprise Application Platform Version6.0.0

Redhat ≫ Enterprise Linux Version5.0

Redhat ≫ Jboss Enterprise Application Platform Version6.4.0

Redhat ≫ Enterprise Linux Version5.0

Netapp ≫ Oncommand Workflow Automation Version-

Netapp ≫ Snap Creator Framework Version-

Netapp ≫ Snapcenter Version-

Netapp ≫ Snapmanager Version- SwPlatformoracle

Netapp ≫ Snapmanager Version- SwPlatformsap

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	1%	0.76

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:P/A:N

CWE-91 XML Injection (aka Blind XPath Injection)

The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2020.html

Third Party Advisory

https://www.oracle.com/security-alerts/cpujul2020.html

Third Party Advisory

https://www.oracle.com/security-alerts/cpuApr2021.html

https://access.redhat.com/errata/RHSA-2019:1159

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:1160