CVE-2018-1000632
XML Injection vulnerability in org.dom4j:dom4j
What is CVE-2018-1000632 About?
`dom4j` versions prior to 2.1.1 are vulnerable to XML Injection, specifically CWE-91. Attackers can tamper with XML documents by injecting malicious attributes or elements. This is exploitable when an application processes untrusted input directly into XML document construction methods.
Affected Software
- org.dom4j:dom4j
- >2.1.0, <2.1.1
- <2.0.3
- dom4j:dom4j
- <=1.6.1
Technical Details
The `dom4j` library versions prior to 2.1.1 contain an XML Injection vulnerability within the `Element.addElement` and `Element.addAttribute` methods. This flaw occurs because these methods do not adequately sanitize or escape user-controlled input before embedding it into XML documents. An attacker can supply input containing XML metacharacters (e.g., `<`, `>`, `"`, `'`, `&`) that, when processed by `addElement` or `addAttribute`, are directly interpreted as part of the XML structure rather than plain text. This allows the attacker to inject arbitrary elements, attributes, or even modify the XML document's structure, violating its intended integrity and potentially enabling data manipulation, information disclosure, or other XML-based attacks.
What is the Impact of CVE-2018-1000632?
Successful exploitation may allow attackers to tamper with XML documents, leading to data manipulation, unauthorized data access, or the disruption of XML-based data processing.
What is the Exploitability of CVE-2018-1000632?
Exploitation complexity is moderate, as it requires an application to use the vulnerable `dom4j` library and accept attacker-controlled input that is then directly used by the `addElement` or `addAttribute` methods without proper sanitization. No specific authentication is required if the vulnerable functionality is exposed to unauthenticated users, but authenticated access might be a prerequisite depending on the application. No special privileges are inherently needed. This can be a remote vulnerability if the application processes untrusted external input (e.g., from web forms, API calls) or local if via file processing. The primary risk factor is the application's failure to validate or escape input before passing it to susceptible `dom4j` methods.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2018-1000632?
Available Upgrade Options
- org.dom4j:dom4j
- <2.0.3 → Upgrade to 2.0.3
- org.dom4j:dom4j
- >2.1.0, <2.1.1 → Upgrade to 2.1.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://access.redhat.com/errata/RHSA-2019:0365
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://lists.apache.org/thread.html/5a020ecaa3c701f408f612f7ba2ee37a021644c4a39da2079ed3ddbc@%3Ccommits.maven.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KJULAHVR3I5SX7OSMXAG75IMNSAYOXGA
- https://ihacktoprotect.com/post/dom4j-xml-injection/
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://lists.apache.org/thread.html/00571f362a7a2470fba50a31282c65637c40d2e21ebe6ee535a4ed74%40%3Ccommits.maven.apache.org%3E
- https://lists.apache.org/thread.html/4a77652531d62299a30815cf5f233af183425db8e3c9a824a814e768@%3Cdev.maven.apache.org%3E
- https://lists.apache.org/thread.html/7e9e78f0e4288fac6591992836d2a80d4df19161e54bd71ab4b8e458@%3Cdev.maven.apache.org%3E
- https://github.com/dom4j/dom4j/commit/c2a99d7dee8ce7a4e5bef134bb781a6672bd8a0f
What are Similar Vulnerabilities to CVE-2018-1000632?
Similar Vulnerabilities: CVE-2019-12399 , CVE-2021-44228 , CVE-2022-25857 , CVE-2023-38600 , CVE-2023-50045
