Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 719318 (CVE-2020-10683) - dev-java/dom4j: XML External Entity (XEE) vulnerability in default SAX parser (CVE-2020-10683)
Summary: dev-java/dom4j: XML External Entity (XEE) vulnerability in default SAX parser...
Status: IN_PROGRESS
Alias: CVE-2020-10683
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [ebuild cve]
Keywords:
: 720728 (view as bug list)
Depends on:
Blocks:
 
Reported: 2020-04-24 22:35 UTC by Sam James
Modified: 2020-07-27 16:57 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-04-24 22:35:05 UTC
Description:
"XML External Entity vulnerability in default SAX parser"

Patches:
* https://github.com/dom4j/dom4j/commit/1707bf3d898a8ada3b213acb0e3b38f16eaae73d
* https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658
Comment 1 Sam James archtester gentoo-dev Security 2020-07-27 16:56:59 UTC
*** Bug 720728 has been marked as a duplicate of this bug. ***
Comment 2 Sam James archtester gentoo-dev Security 2020-07-27 16:57:39 UTC
CVE-2020-10683 (https://nvd.nist.gov/vuln/detail/CVE-2020-10683):
  dom4j before 2.1.3 allows external DTDs and External Entities by default,
  which might enable XXE attacks. However, there is popular external
  documentation from OWASP showing how to enable the safe, non-default
  behavior in any application that uses dom4j.