CVE-2018-1000632
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2018-1000632
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-1000632.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2018-1000632
- Aliases
- Downstream
- Related
- Published
- 2018-08-20T19:31:31Z
- Modified
- 2025-10-21T04:24:24.532603Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- [none]
- Details
-
dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.
- References
-
- https://access.redhat.com/errata/RHSA-2019:0362
- https://access.redhat.com/errata/RHSA-2019:0364
- https://access.redhat.com/errata/RHSA-2019:0365
- https://access.redhat.com/errata/RHSA-2019:0380
- https://access.redhat.com/errata/RHSA-2019:1159
- https://access.redhat.com/errata/RHSA-2019:1160
- https://access.redhat.com/errata/RHSA-2019:1161
- https://access.redhat.com/errata/RHSA-2019:1162
- https://access.redhat.com/errata/RHSA-2019:3172
- https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387
- https://github.com/dom4j/dom4j/issues/48
- https://ihacktoprotect.com/post/dom4j-xml-injection/
- https://lists.debian.org/debian-lts-announce/2018/09/msg00028.html
- https://security.netapp.com/advisory/ntap-20190530-0001/
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
- https://lists.apache.org/thread.html/00571f362a7a2470fba50a31282c65637c40d2e21ebe6ee535a4ed74%40%3Ccommits.maven.apache.org%3E
- https://lists.apache.org/thread.html/4a77652531d62299a30815cf5f233af183425db8e3c9a824a814e768%40%3Cdev.maven.apache.org%3E
- https://lists.apache.org/thread.html/5a020ecaa3c701f408f612f7ba2ee37a021644c4a39da2079ed3ddbc%40%3Ccommits.maven.apache.org%3E
- https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E
- https://lists.apache.org/thread.html/7e9e78f0e4288fac6591992836d2a80d4df19161e54bd71ab4b8e458%40%3Cdev.maven.apache.org%3E
- https://lists.apache.org/thread.html/7f6e120e6ed473f4e00dde4c398fc6698eb383bd7857d20513e989ce%40%3Cdev.maven.apache.org%3E
- https://lists.apache.org/thread.html/9d4c1af6f702c3d6d6f229de57112ddccac8ce44446a01b7937ab9e0%40%3Ccommits.maven.apache.org%3E
- https://lists.apache.org/thread.html/d7d960b2778e35ec9b4d40c8efd468c7ce7163bcf6489b633491c89f%40%3Cdev.maven.apache.org%3E
- https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51%40%3Cnotifications.freemarker.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IOOVVCRQE6ATFD2JM2EMDXOQXTRIVZGP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJULAHVR3I5SX7OSMXAG75IMNSAYOXGA/
- https://www.oracle.com/security-alerts/cpuApr2021.html
Affected packages
Git / github.com/dom4j/dom4j
Affected ranges
- Type
- GIT
- Repo
- https://github.com/dom4j/dom4j
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
dom4j-2.*
dom4j-2.0.0-RC1
v2.*
v2.0.0
version-2.*
version-2.0.0
version-2.0.1
version-2.0.2
version-2.1.0
Database specific
vanir_signatures
[
{
"source": "https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387",
"signature_version": "v1",
"deprecated": false,
"target": {
"function": "get",
"file": "src/main/java/org/dom4j/tree/QNameCache.java"
},
"id": "CVE-2018-1000632-35488c68",
"signature_type": "Function",
"digest": {
"length": 327.0,
"function_hash": "199325550788090166794109819653578629307"
}
},
{
"source": "https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "src/main/java/org/dom4j/Namespace.java"
},
"id": "CVE-2018-1000632-3bd6d515",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"314198188812661398941202424502439283026",
"82741579659803731321705998136504987739",
"151797185316034688866896672041363997013",
"199636037147929886189862213997516158628"
]
}
},
{
"source": "https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "src/main/java/org/dom4j/tree/QNameCache.java"
},
"id": "CVE-2018-1000632-4648bb49",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"147422418505375895194094920885579697205",
"168608690976820459163785128903439418592",
"285563659170242935906162937712434995479",
"267323759805984201773350446167363660338"
]
}
},
{
"source": "https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387",
"signature_version": "v1",
"deprecated": false,
"target": {
"function": "QName",
"file": "src/main/java/org/dom4j/QName.java"
},
"id": "CVE-2018-1000632-4d9be67a",
"signature_type": "Function",
"digest": {
"length": 193.0,
"function_hash": "275065499305021125980377239777979989974"
}
},
{
"source": "https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387",
"signature_version": "v1",
"deprecated": false,
"target": {
"function": "QName",
"file": "src/main/java/org/dom4j/QName.java"
},
"id": "CVE-2018-1000632-91a793ae",
"signature_type": "Function",
"digest": {
"length": 156.0,
"function_hash": "50164286232166251017957768309715539050"
}
},
{
"source": "https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "src/main/java/org/dom4j/QName.java"
},
"id": "CVE-2018-1000632-b4519614",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"159068995644970077640297364713887969558",
"80789274561771364052924301408417159154",
"151816500673044903496109026899881602596",
"59332901774669520718939558736875745473",
"280096135076175038850825573070871643726",
"214913607474329058805161896514755869583",
"42351094760623045212581057695845210285",
"168930601465629580222610550953789028778",
"91625039504964879982004240932877008270",
"235041418355810679284335301429235532350",
"30821750415135255648048159171374174012",
"85346269660141706510647755255497829709",
"113698993995322993817647003012983568741",
"255488862362652146981607753092155544836",
"290124909029656121859884563217930534750",
"261387688273661779705760898402365817095",
"109320987176496713575563761446899179581",
"257960915943106047139086468834030106362"
]
}
},
{
"source": "https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387",
"signature_version": "v1",
"deprecated": false,
"target": {
"function": "Namespace",
"file": "src/main/java/org/dom4j/Namespace.java"
},
"id": "CVE-2018-1000632-c731c98f",
"signature_type": "Function",
"digest": {
"length": 138.0,
"function_hash": "206188708269763143262114288589286603567"
}
}
]