CVE-2018-1000632 (CNNVD-201808-625)
HIGH
中文标题:
dom4j 安全漏洞
英文标题:
dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Elemen...
CVSS分数:
7.5
发布时间:
2018-08-20 19:00:00
漏洞类型:
其他
状态:
PUBLISHED
数据质量分数:
0.30
数据版本:
v3
漏洞描述
中文描述:
dom4j是一款支持DOM、SAX、JAXP和Java平台的用于处理XML文件的开源框架。 dom4j 2.1.1之前版本中的Class: Element存在安全漏洞,该漏洞源于程序没有验证输入。攻击者可通过指定XML文档中的属性或元素利用该漏洞执行篡改操作。
英文描述:
dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.
CWE类型:
CWE-91
标签:
(暂无数据)
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| dom4j_project | dom4j | * | - | - |
cpe:2.3:a:dom4j_project:dom4j:*:*:*:*:*:*:*:*
|
| debian | debian_linux | 8.0 | - | - |
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
|
| oracle | flexcube_investor_servicing | 12.0.4 | - | - |
cpe:2.3:a:oracle:flexcube_investor_servicing:12.0.4:*:*:*:*:*:*:*
|
| oracle | flexcube_investor_servicing | 12.1.0 | - | - |
cpe:2.3:a:oracle:flexcube_investor_servicing:12.1.0:*:*:*:*:*:*:*
|
| oracle | flexcube_investor_servicing | 12.3.0 | - | - |
cpe:2.3:a:oracle:flexcube_investor_servicing:12.3.0:*:*:*:*:*:*:*
|
| oracle | flexcube_investor_servicing | 12.4.0 | - | - |
cpe:2.3:a:oracle:flexcube_investor_servicing:12.4.0:*:*:*:*:*:*:*
|
| oracle | flexcube_investor_servicing | 14.0.0 | - | - |
cpe:2.3:a:oracle:flexcube_investor_servicing:14.0.0:*:*:*:*:*:*:*
|
| oracle | primavera_p6_enterprise_project_portfolio_management | * | - | - |
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*
|
| oracle | rapid_planning | 12.1 | - | - |
cpe:2.3:a:oracle:rapid_planning:12.1:*:*:*:*:*:*:*
|
| oracle | rapid_planning | 12.2 | - | - |
cpe:2.3:a:oracle:rapid_planning:12.2:*:*:*:*:*:*:*
|
| oracle | retail_integration_bus | 15.0 | - | - |
cpe:2.3:a:oracle:retail_integration_bus:15.0:*:*:*:*:*:*:*
|
| oracle | retail_integration_bus | 16.0 | - | - |
cpe:2.3:a:oracle:retail_integration_bus:16.0:*:*:*:*:*:*:*
|
| oracle | utilities_framework | * | - | - |
cpe:2.3:a:oracle:utilities_framework:*:*:*:*:*:*:*:*
|
| oracle | utilities_framework | 2.2.0 | - | - |
cpe:2.3:a:oracle:utilities_framework:2.2.0:*:*:*:*:*:*:*
|
| oracle | utilities_framework | 4.2.0.2.0 | - | - |
cpe:2.3:a:oracle:utilities_framework:4.2.0.2.0:*:*:*:*:*:*:*
|
| oracle | utilities_framework | 4.2.0.3.0 | - | - |
cpe:2.3:a:oracle:utilities_framework:4.2.0.3.0:*:*:*:*:*:*:*
|
| oracle | utilities_framework | 4.4.0.0.0 | - | - |
cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:*:*:*:*:*:*:*
|
| oracle | utilities_framework | 4.4.0.2 | - | - |
cpe:2.3:a:oracle:utilities_framework:4.4.0.2:*:*:*:*:*:*:*
|
| redhat | satellite | 6.6 | - | - |
cpe:2.3:a:redhat:satellite:6.6:*:*:*:*:*:*:*
|
| redhat | satellite_capsule | 6.6 | - | - |
cpe:2.3:a:redhat:satellite_capsule:6.6:*:*:*:*:*:*:*
|
| redhat | jboss_enterprise_application_platform | 6.0.0 | - | - |
cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0:*:*:*:*:*:*:*
|
| redhat | jboss_enterprise_application_platform | 6.4.0 | - | - |
cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.4.0:*:*:*:*:*:*:*
|
| redhat | jboss_enterprise_application_platform | 7.1.0 | - | - |
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.1.0:*:*:*:*:*:*:*
|
| netapp | oncommand_workflow_automation | - | - | - |
cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
|
| netapp | snap_creator_framework | - | - | - |
cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*
|
| netapp | snapcenter | - | - | - |
cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
|
| netapp | snapmanager | - | - | - |
cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:oracle:*:*
|
解决方案
中文解决方案:
(暂无数据)
英文解决方案:
(暂无数据)
临时解决方案:
(暂无数据)
参考链接
[debian-lts-announce] 20180924 [SECURITY] [DLA 1517-1] dom4j security update
mailing-list
cve.org
访问
cve.org
RHSA-2019:0364
vendor-advisory
cve.org
访问
cve.org
RHSA-2019:0362
vendor-advisory
cve.org
访问
cve.org
RHSA-2019:0365
vendor-advisory
cve.org
访问
cve.org
RHSA-2019:0380
vendor-advisory
cve.org
访问
cve.org
[lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report
mailing-list
cve.org
访问
cve.org
RHSA-2019:1160
vendor-advisory
cve.org
访问
cve.org
RHSA-2019:1162
vendor-advisory
cve.org
访问
cve.org
RHSA-2019:1159
vendor-advisory
cve.org
访问
cve.org
RHSA-2019:1161
vendor-advisory
cve.org
访问
cve.org
[maven-dev] 20190531 proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)
mailing-list
cve.org
访问
cve.org
[maven-dev] 20190531 Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)
mailing-list
cve.org
访问
cve.org
[maven-commits] 20190531 [maven-archetype] 01/01: ARCHETYPE-567: switch to dom4j 2.1.1 (and Java 8) dom4j 2.1.1 requires Java 8 dom4j 2.0.2 would retain Java 7 but is vulnerable to CVE-2018-1000632 dom4j 2.0.3 fixes CVE-2018-1000632 but has been pending for ~1 year
mailing-list
cve.org
访问
cve.org
[maven-commits] 20190601 [maven-archetype] 01/01: ARCHETYPE-567: switch to dom4j 2.1.1 (and Java 8) dom4j 2.1.1 requires Java 8 dom4j 2.0.2 would retain Java 7 but is vulnerable to CVE-2018-1000632 dom4j 2.0.3 fixes CVE-2018-1000632 but has been pending for ~1 year
mailing-list
cve.org
访问
cve.org
[maven-dev] 20190603 Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)
mailing-list
cve.org
访问
cve.org
[maven-commits] 20190604 [maven-archetype] branch master updated: ARCHETYPE-567: switch to dom4j 2.1.1 (and Java 8) dom4j 2.1.1 requires Java 8 dom4j 2.0.2 would retain Java 7 but is vulnerable to CVE-2018-1000632 dom4j 2.0.3 fixes CVE-2018-1000632 but has been pending for ~1 year
mailing-list
cve.org
访问
cve.org
[maven-dev] 20190610 Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)
mailing-list
cve.org
访问
cve.org
RHSA-2019:3172
vendor-advisory
cve.org
访问
cve.org
无标题
x_refsource_MISC
cve.org
访问
cve.org
无标题
x_refsource_MISC
cve.org
访问
cve.org
无标题
x_refsource_CONFIRM
cve.org
访问
cve.org
无标题
x_refsource_CONFIRM
cve.org
访问
cve.org
无标题
x_refsource_CONFIRM
cve.org
访问
cve.org
无标题
x_refsource_MISC
cve.org
访问
cve.org
无标题
x_refsource_CONFIRM
cve.org
访问
cve.org
FEDORA-2021-f28c870528
vendor-advisory
cve.org
访问
cve.org
FEDORA-2021-8015a8cdc4
vendor-advisory
cve.org
访问
cve.org
无标题
x_refsource_MISC
cve.org
访问
cve.org
[freemarker-notifications] 20210906 [jira] [Created] (FREEMARKER-190) The jar dom4j has known security issue that Freemarker compiles dependend on it
mailing-list
cve.org
访问
cve.org
CVSS评分详情
7.5
HIGH
CVSS向量:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS版本:
3.1
机密性
NONE
完整性
HIGH
可用性
NONE
时间信息
发布时间:
2018-08-20 19:00:00
修改时间:
2024-08-05 12:40:47
创建时间:
2025-11-11 15:34:58
更新时间:
2025-11-11 15:53:53
利用信息
暂无可利用代码信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2018-1000632 |
2025-11-11 15:19:36 | 2025-11-11 07:34:58 |
| NVD | nvd_CVE-2018-1000632 |
2025-11-11 14:55:57 | 2025-11-11 07:43:34 |
| CNNVD | cnnvd_CNNVD-201808-625 |
2025-11-11 15:10:04 | 2025-11-11 07:53:53 |
版本与语言
当前版本:
v3
主要语言:
EN
支持语言:
EN
ZH
安全公告
暂无安全公告信息
变更历史
v3
CNNVD
2025-11-11 15:53:53
vulnerability_type: 未提取 → 其他; cnnvd_id: 未提取 → CNNVD-201808-625; data_sources: ['cve', 'nvd'] → ['cnnvd', 'cve', 'nvd']
查看详细变更
- vulnerability_type: 未提取 -> 其他
- cnnvd_id: 未提取 -> CNNVD-201808-625
- data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
v2
NVD
2025-11-11 15:43:34
severity: SeverityLevel.MEDIUM → SeverityLevel.HIGH; cvss_score: 未提取 → 7.5; cvss_vector: NOT_EXTRACTED → CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N; cvss_version: NOT_EXTRACTED → 3.1; affected_products_count: 0 → 27; data_sources: ['cve'] → ['cve', 'nvd']
查看详细变更
- severity: SeverityLevel.MEDIUM -> SeverityLevel.HIGH
- cvss_score: 未提取 -> 7.5
- cvss_vector: NOT_EXTRACTED -> CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
- cvss_version: NOT_EXTRACTED -> 3.1
- affected_products_count: 0 -> 27
- data_sources: ['cve'] -> ['cve', 'nvd']