CVE-2018-1000632
Summary
| CVE | CVE-2018-1000632 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2018-08-20 19:31:00 UTC |
| Updated | 2023-11-07 02:51:00 UTC |
| Description | dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later. |
Risk And Classification
Problem Types: CWE-91
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Debian | Debian Linux | 8.0 | All | All | All |
| Operating System | Debian | Debian Linux | 8.0 | All | All | All |
| Application | Dom4j Project | Dom4j | All | All | All | All |
| Application | Dom4j Project | Dom4j | All | All | All | All |
| Application | Netapp | Oncommand Workflow Automation | - | All | All | All |
| Application | Netapp | Oncommand Workflow Automation | - | All | All | All |
| Application | Netapp | Snapcenter | - | All | All | All |
| Application | Netapp | Snapcenter | - | All | All | All |
| Application | Netapp | Snapmanager | - | All | All | All |
| Application | Netapp | Snapmanager | - | All | All | All |
| Application | Netapp | Snapmanager | - | All | All | All |
| Application | Netapp | Snapmanager | - | All | All | All |
| Application | Netapp | Snap Creator Framework | - | All | All | All |
| Application | Netapp | Snap Creator Framework | - | All | All | All |
| Application | Oracle | Flexcube Investor Servicing | 12.0.4 | All | All | All |
| Application | Oracle | Flexcube Investor Servicing | 12.1.0 | All | All | All |
| Application | Oracle | Flexcube Investor Servicing | 12.3.0 | All | All | All |
| Application | Oracle | Flexcube Investor Servicing | 12.4.0 | All | All | All |
| Application | Oracle | Flexcube Investor Servicing | 14.0.0 | All | All | All |
| Application | Oracle | Flexcube Investor Servicing | 12.0.4 | All | All | All |
| Application | Oracle | Flexcube Investor Servicing | 12.1.0 | All | All | All |
| Application | Oracle | Flexcube Investor Servicing | 12.3.0 | All | All | All |
| Application | Oracle | Flexcube Investor Servicing | 12.4.0 | All | All | All |
| Application | Oracle | Flexcube Investor Servicing | 14.0.0 | All | All | All |
| Application | Oracle | Primavera P6 Enterprise Project Portfolio Management | All | All | All | All |
| Application | Oracle | Primavera P6 Enterprise Project Portfolio Management | All | All | All | All |
| Application | Oracle | Primavera P6 Enterprise Project Portfolio Management | All | All | All | All |
| Application | Oracle | Primavera P6 Enterprise Project Portfolio Management | All | All | All | All |
| Application | Oracle | Rapid Planning | 12.1 | All | All | All |
| Application | Oracle | Rapid Planning | 12.2 | All | All | All |
| Application | Oracle | Rapid Planning | 12.1 | All | All | All |
| Application | Oracle | Rapid Planning | 12.2 | All | All | All |
| Application | Oracle | Retail Integration Bus | 15.0 | All | All | All |
| Application | Oracle | Retail Integration Bus | 16.0 | All | All | All |
| Application | Oracle | Retail Integration Bus | 15.0 | All | All | All |
| Application | Oracle | Retail Integration Bus | 16.0 | All | All | All |
| Application | Oracle | Utilities Framework | 2.2.0 | All | All | All |
| Application | Oracle | Utilities Framework | 4.2.0.2.0 | All | All | All |
| Application | Oracle | Utilities Framework | 4.2.0.3.0 | All | All | All |
| Application | Oracle | Utilities Framework | 4.4.0.0.0 | All | All | All |
| Application | Oracle | Utilities Framework | 4.4.0.2 | All | All | All |
| Application | Oracle | Utilities Framework | 2.2.0 | All | All | All |
| Application | Oracle | Utilities Framework | 4.2.0.2.0 | All | All | All |
| Application | Oracle | Utilities Framework | 4.2.0.3.0 | All | All | All |
| Application | Oracle | Utilities Framework | 4.4.0.0.0 | All | All | All |
| Application | Oracle | Utilities Framework | 4.4.0.2 | All | All | All |
| Application | Oracle | Utilities Framework | All | All | All | All |
| Operating System | Redhat | Enterprise Linux | 5.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux | 6.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux | 7.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux | 5.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux | 6.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux | 7.0 | All | All | All |
| Application | Redhat | Jboss Enterprise Application Platform | 6.0.0 | All | All | All |
| Application | Redhat | Jboss Enterprise Application Platform | 6.4.0 | All | All | All |
| Application | Redhat | Jboss Enterprise Application Platform | 7.1.0 | All | All | All |
| Application | Redhat | Jboss Enterprise Application Platform | 6.0.0 | All | All | All |
| Application | Redhat | Jboss Enterprise Application Platform | 6.4.0 | All | All | All |
| Application | Redhat | Jboss Enterprise Application Platform | 7.1.0 | All | All | All |
| Application | Redhat | Satellite | 6.6 | All | All | All |
| Application | Redhat | Satellite | 6.6 | All | All | All |
| Application | Redhat | Satellite Capsule | 6.6 | All | All | All |
| Application | Redhat | Satellite Capsule | 6.6 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Red Hat Customer Portal | REDHAT | access.redhat.com | Third Party Advisory |
| #48 Validate QName inputs - throw IllegalArgumentException when quali… · dom4j/dom4j@e598eb4 · GitHub | CONFIRM | github.com | Patch, Third Party Advisory |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Patch, Third Party Advisory |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Third Party Advisory |
| [SECURITY] [DLA 1517-1] dom4j security update | MLIST | lists.debian.org | Mailing List, Third Party Advisory |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Third Party Advisory |
| [SECURITY] Fedora 34 Update: dom4j-2.0.3-1.fc34 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| Oracle Critical Patch Update Advisory - July 2020 | MISC | www.oracle.com | Third Party Advisory |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Third Party Advisory |
| Validate QName inputs · Issue #48 · dom4j/dom4j · GitHub | CONFIRM | github.com | Third Party Advisory |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Patch, Third Party Advisory |
| Pony Mail! | lists.apache.org | ||
| Red Hat Customer Portal | REDHAT | access.redhat.com | Third Party Advisory |
| Red Hat Customer Portal | REDHAT | access.redhat.com | Third Party Advisory |
| [SECURITY] Fedora 33 Update: dom4j-2.0.3-1.fc33 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| CVE-2018-1000632 Dom4j Vulnerability in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | Third Party Advisory |
| Red Hat Customer Portal | REDHAT | access.redhat.com | Third Party Advisory |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Third Party Advisory |
| Red Hat Customer Portal | REDHAT | access.redhat.com | Third Party Advisory |
| Oracle Critical Patch Update - January 2019 | CONFIRM | www.oracle.com | Patch, Third Party Advisory |
| Red Hat Customer Portal | REDHAT | access.redhat.com | Third Party Advisory |
| Pony Mail! | MLIST | lists.apache.org | Third Party Advisory |
| XML Injection in dom4j library · I hack to protect | MISC | ihacktoprotect.com | Exploit, Third Party Advisory |
| Red Hat Customer Portal | REDHAT | access.redhat.com | Third Party Advisory |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | lists.apache.org | ||
| [SECURITY] Fedora 34 Update: dom4j-2.0.3-1.fc34 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| Pony Mail! | lists.apache.org | ||
| Oracle Critical Patch Update Advisory - April 2020 | N/A | www.oracle.com | Third Party Advisory |
| Red Hat Customer Portal | REDHAT | access.redhat.com | Third Party Advisory |
| Pony Mail! | lists.apache.org | ||
| [SECURITY] Fedora 33 Update: dom4j-2.0.3-1.fc33 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| Oracle Critical Patch Update Advisory - April 2021 | MISC | www.oracle.com | |
| Red Hat Customer Portal | REDHAT | access.redhat.com | Third Party Advisory |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Patch, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.