What is CVE-2020-10683?

CVE-2020-10683 is a critical-severity vulnerability in Dom4j_project Dom4j, classified under Improper Restriction of XML External Entity Reference (XXE). CVSS score: 9.8/10. Published 2020-05-01.

How severe is CVE-2020-10683?

Critical severity. CVSS v3 base score is 9.8 out of 10.

Is CVE-2020-10683 known to be exploited?

10 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

XXE in Dom4j_project Dom4j

CVE-2020-10683

dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavi…

Vulnerability class: XXE (XML External Entity)

EPSS: 0.073 (93.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Dom4j_project Dom4j
Netapp Oncommand_api_services
Netapp Oncommand_workflow_automation
Netapp Snapcenter
Netapp Snap_creator_framework
Netapp Snapmanager
Oracle Agile_plm — versions 9.3.3, 9.3.5
Oracle Application_testing_suite — versions 13.3.0.1
Oracle Banking_platform
Oracle Business_process_management_suite — versions 12.2.1.3.0, 12.2.1.4.0

Weakness classification (CWE)

CWE-611 — Improper Restriction of XML External Entity Reference (XXE)

Public proof-of-concept exploits

References

cve@mitre.org (vendor-advisory, Third Party Advisory, x_refsource_SUSE)
cve@mitre.org (Third Party Advisory, x_refsource_MISC)
cve@mitre.org (Third Party Advisory, x_refsource_MISC)
cve@mitre.org (Patch, Third Party Advisory, x_refsource_MISC, Issue Tracking)
cve@mitre.org (x_refsource_CONFIRM, Third Party Advisory, Release Notes)
cve@mitre.org (x_refsource_CONFIRM, Patch, Third Party Advisory)
cve@mitre.org (x_refsource_CONFIRM, Third Party Advisory)
cve@mitre.org (x_refsource_UBUNTU, vendor-advisory, Third Party Advisory)
cve@mitre.org (Patch, Third Party Advisory, x_refsource_MISC)
cve@mitre.org (Third Party Advisory, x_refsource_MISC)

Frequently asked questions

What is CVE-2020-10683?: CVE-2020-10683 is a critical-severity vulnerability in Dom4j_project Dom4j, classified under Improper Restriction of XML External Entity Reference (XXE). CVSS score: 9.8/10. Published 2020-05-01.
How severe is CVE-2020-10683?: Critical severity. CVSS v3 base score is 9.8 out of 10.
Is CVE-2020-10683 known to be exploited?: 10 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.