CVE-2020-10683
XXE vulnerability in dom4j (Maven)
What is CVE-2020-10683 About?
dom4j before 2.1.3 allows external DTDs and External Entities by default, making it vulnerable to XML External Entity (XXE) attacks. This can enable attackers to read arbitrary files, perform server-side request forgery, or trigger denial-of-service conditions. Exploitation is typically straightforward if an application processes untrusted XML input using the default dom4j configuration.
Affected Software
- org.dom4j:dom4j
- >2.1.0, <2.1.3
- <2.0.3
- dom4j:dom4j
- <=1.6.1
Technical Details
The dom4j library, specifically versions before 2.1.3 (especially dom4j:dom4j version 1.x legacy artifacts), is configured by default to resolve external DTDs (Document Type Definitions) and external entities when parsing XML. This default behavior makes it susceptible to XML External Entity (XXE) attacks. An attacker can craft a malicious XML document that includes a DOCTYPE declaration defining external entities. These external entities can reference local files (e.g., file:///etc/passwd), network resources (e.g., http://attacker.com/malicious.dtd), or induce a denial-of-service condition (e.g., through recursive entity expansion, known as a 'billion laughs' attack). When dom4j parses this XML, it will attempt to resolve and include the content of these external entities, allowing the attacker to read arbitrary files from the server, perform server-side request forgery (SSRF) to scan internal networks, or exhaust system resources. The vulnerability lies in the parser's trust in external entity definitions without explicit configuration to disable them.
What is the Impact of CVE-2020-10683?
Successful exploitation may allow attackers to read arbitrary files from the server, perform server-side request forgery (SSRF), or trigger denial-of-service conditions via crafted XML input.
What is the Exploitability of CVE-2020-10683?
Exploitation of this XXE vulnerability typically requires an attacker to supply a specially crafted XML document to an application that uses the vulnerable dom4j library with its default configurations. No authentication is required if the application processes untrusted XML input (e.g., from an API endpoint or file upload). The attack is remote. The complexity is relatively low for an attacker familiar with XXE techniques, as the default configuration is permissive. The primary prerequisite is the ability to submit XML input to the application. The risk is significantly increased for applications that parse unvalidated XML from external sources without explicitly disabling external entity processing in dom4j.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-10683?
Available Upgrade Options
- org.dom4j:dom4j
- <2.0.3 → Upgrade to 2.0.3
- org.dom4j:dom4j
- >2.1.0, <2.1.3 → Upgrade to 2.1.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658
- https://usn.ubuntu.com/4575-1/
- https://github.com/dom4j/dom4j/releases/tag/version-2.1.3
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://github.com/dom4j/dom4j/commits/version-2.0.3
- https://www.oracle.com//security-alerts/cpujul2021.html
What are Similar Vulnerabilities to CVE-2020-10683?
Similar Vulnerabilities: CVE-2017-1000487 , CVE-2018-1000613 , CVE-2019-12384 , CVE-2020-10650 , CVE-2021-23840
