Update dependency dom4j:dom4j to v20040902 [SECURITY] #101

Merged

renovate[bot] merged 1 commit from renovate/maven-dom4j-dom4j-vulnerability into helma-🐜 2024-05-18 14:51:23 +00:00

Conversation 0 Commits 1 Files changed 1 +1 -1

renovate[bot] commented 2024-05-18 13:31:03 +00:00 (Migrated from github.com)

Copy link

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
dom4j:dom4j (source)	1.6.1 -> 20040902.021138

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Dom4j contains a XML Injection vulnerability

CVE-2018-1000632 / GHSA-6pcc-3rfx-4gpm

More information

Details

dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.

Note: This advisory applies to dom4j:dom4j version 1.x legacy artifacts. To resolve this a change to the latest version of org.dom4j:dom4j is recommended.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2018-1000632
• https://github.com/dom4j/dom4j/issues/48
• https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387
• https://github.com/dom4j/dom4j/commit/c2a99d7dee8ce7a4e5bef134bb781a6672bd8a0f
• https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@​%3Csolr-user.lucene.apache.org%3E
• https://lists.apache.org/thread.html/7e9e78f0e4288fac6591992836d2a80d4df19161e54bd71ab4b8e458@​%3Cdev.maven.apache.org%3E
• https://lists.apache.org/thread.html/7f6e120e6ed473f4e00dde4c398fc6698eb383bd7857d20513e989ce@%3Cdev.maven.apache.org%3E
• https://lists.apache.org/thread.html/9d4c1af6f702c3d6d6f229de57112ddccac8ce44446a01b7937ab9e0@​%3Ccommits.maven.apache.org%3E
• https://lists.apache.org/thread.html/d7d960b2778e35ec9b4d40c8efd468c7ce7163bcf6489b633491c89f@%3Cdev.maven.apache.org%3E
• https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51@​%3Cnotifications.freemarker.apache.org%3E
• https://lists.debian.org/debian-lts-announce/2018/09/msg00028.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOOVVCRQE6ATFD2JM2EMDXOQXTRIVZGP
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KJULAHVR3I5SX7OSMXAG75IMNSAYOXGA
• https://security.netapp.com/advisory/ntap-20190530-0001
• https://www.oracle.com/security-alerts/cpuApr2021.html
• https://www.oracle.com/security-alerts/cpuapr2020.html
• https://www.oracle.com/security-alerts/cpujul2020.html
• https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
• https://lists.apache.org/thread.html/5a020ecaa3c701f408f612f7ba2ee37a021644c4a39da2079ed3ddbc@%3Ccommits.maven.apache.org%3E
• https://lists.apache.org/thread.html/4a77652531d62299a30815cf5f233af183425db8e3c9a824a814e768@​%3Cdev.maven.apache.org%3E
• https://lists.apache.org/thread.html/00571f362a7a2470fba50a31282c65637c40d2e21ebe6ee535a4ed74@​%3Ccommits.maven.apache.org%3E
• https://ihacktoprotect.com/post/dom4j-xml-injection
• https://github.com/dom4j/dom4j
• https://github.com/advisories/GHSA-6pcc-3rfx-4gpm
• https://access.redhat.com/errata/RHSA-2019:3172
• https://access.redhat.com/errata/RHSA-2019:1162
• https://access.redhat.com/errata/RHSA-2019:1161
• https://access.redhat.com/errata/RHSA-2019:1160
• https://access.redhat.com/errata/RHSA-2019:1159
• https://access.redhat.com/errata/RHSA-2019:0380
• https://access.redhat.com/errata/RHSA-2019:0365
• https://access.redhat.com/errata/RHSA-2019:0364
• https://access.redhat.com/errata/RHSA-2019:0362

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

dom4j allows External Entities by default which might enable XXE attacks

CVE-2020-10683 / GHSA-hwj3-m3p6-hj38

More information

Details

dom4j before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.

Note: This advisory applies to dom4j:dom4j version 1.x legacy artifacts. To resolve this a change to the latest version of org.dom4j:dom4j is recommended.

Severity

• CVSS Score: 9.8 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-10683
• https://github.com/dom4j/dom4j/issues/87
• https://github.com/dom4j/dom4j/commit/1707bf3d898a8ada3b213acb0e3b38f16eaae73d
• https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://www.oracle.com/security-alerts/cpuoct2020.html
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://www.oracle.com/security-alerts/cpujul2020.html
• https://www.oracle.com/security-alerts/cpujan2022.html
• https://www.oracle.com/security-alerts/cpujan2021.html
• https://www.oracle.com/security-alerts/cpuApr2021.html
• https://www.oracle.com//security-alerts/cpujul2021.html
• https://usn.ubuntu.com/4575-1
• https://security.netapp.com/advisory/ntap-20200518-0002
• https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51@​%3Cnotifications.freemarker.apache.org%3E
• https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32@​%3Cdev.velocity.apache.org%3E
• https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8@​%3Cdev.velocity.apache.org%3E
• https://github.com/dom4j/dom4j/releases/tag/version-2.1.3
• https://github.com/dom4j/dom4j/commits/version-2.0.3
• https://github.com/dom4j/dom4j
• https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
• https://bugzilla.redhat.com/show_bug.cgi?id=1694235
• http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled because a matching PR was automerged previously.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [dom4j:dom4j](http://dom4j.org) ([source](http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/dom4j/dom4j/)) | `1.6.1` -> `20040902.021138` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Dom4j contains a XML Injection vulnerability [CVE-2018-1000632](https://nvd.nist.gov/vuln/detail/CVE-2018-1000632) / [GHSA-6pcc-3rfx-4gpm](https://togithub.com/advisories/GHSA-6pcc-3rfx-4gpm) <details> <summary>More information</summary> #### Details dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later. Note: This advisory applies to `dom4j:dom4j` version 1.x legacy artifacts. To resolve this a change to the latest version of `org.dom4j:dom4j` is recommended. #### Severity - CVSS Score: 7.5 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2018-1000632](https://nvd.nist.gov/vuln/detail/CVE-2018-1000632) - [https://github.com/dom4j/dom4j/issues/48](https://togithub.com/dom4j/dom4j/issues/48) - [https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387](https://togithub.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387) - [https://github.com/dom4j/dom4j/commit/c2a99d7dee8ce7a4e5bef134bb781a6672bd8a0f](https://togithub.com/dom4j/dom4j/commit/c2a99d7dee8ce7a4e5bef134bb781a6672bd8a0f) - [https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@&#8203;%3Csolr-user.lucene.apache.org%3E](https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@&#8203;%3Csolr-user.lucene.apache.org%3E) - [https://lists.apache.org/thread.html/7e9e78f0e4288fac6591992836d2a80d4df19161e54bd71ab4b8e458@&#8203;%3Cdev.maven.apache.org%3E](https://lists.apache.org/thread.html/7e9e78f0e4288fac6591992836d2a80d4df19161e54bd71ab4b8e458@&#8203;%3Cdev.maven.apache.org%3E) - [https://lists.apache.org/thread.html/7f6e120e6ed473f4e00dde4c398fc6698eb383bd7857d20513e989ce@%3Cdev.maven.apache.org%3E](https://lists.apache.org/thread.html/7f6e120e6ed473f4e00dde4c398fc6698eb383bd7857d20513e989ce@%3Cdev.maven.apache.org%3E) - [https://lists.apache.org/thread.html/9d4c1af6f702c3d6d6f229de57112ddccac8ce44446a01b7937ab9e0@&#8203;%3Ccommits.maven.apache.org%3E](https://lists.apache.org/thread.html/9d4c1af6f702c3d6d6f229de57112ddccac8ce44446a01b7937ab9e0@&#8203;%3Ccommits.maven.apache.org%3E) - [https://lists.apache.org/thread.html/d7d960b2778e35ec9b4d40c8efd468c7ce7163bcf6489b633491c89f@%3Cdev.maven.apache.org%3E](https://lists.apache.org/thread.html/d7d960b2778e35ec9b4d40c8efd468c7ce7163bcf6489b633491c89f@%3Cdev.maven.apache.org%3E) - [https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51@&#8203;%3Cnotifications.freemarker.apache.org%3E](https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51@&#8203;%3Cnotifications.freemarker.apache.org%3E) - [https://lists.debian.org/debian-lts-announce/2018/09/msg00028.html](https://lists.debian.org/debian-lts-announce/2018/09/msg00028.html) - [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOOVVCRQE6ATFD2JM2EMDXOQXTRIVZGP](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOOVVCRQE6ATFD2JM2EMDXOQXTRIVZGP) - [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KJULAHVR3I5SX7OSMXAG75IMNSAYOXGA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KJULAHVR3I5SX7OSMXAG75IMNSAYOXGA) - [https://security.netapp.com/advisory/ntap-20190530-0001](https://security.netapp.com/advisory/ntap-20190530-0001) - [https://www.oracle.com/security-alerts/cpuApr2021.html](https://www.oracle.com/security-alerts/cpuApr2021.html) - [https://www.oracle.com/security-alerts/cpuapr2020.html](https://www.oracle.com/security-alerts/cpuapr2020.html) - [https://www.oracle.com/security-alerts/cpujul2020.html](https://www.oracle.com/security-alerts/cpujul2020.html) - [https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html](https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html) - [https://lists.apache.org/thread.html/5a020ecaa3c701f408f612f7ba2ee37a021644c4a39da2079ed3ddbc@%3Ccommits.maven.apache.org%3E](https://lists.apache.org/thread.html/5a020ecaa3c701f408f612f7ba2ee37a021644c4a39da2079ed3ddbc@%3Ccommits.maven.apache.org%3E) - [https://lists.apache.org/thread.html/4a77652531d62299a30815cf5f233af183425db8e3c9a824a814e768@&#8203;%3Cdev.maven.apache.org%3E](https://lists.apache.org/thread.html/4a77652531d62299a30815cf5f233af183425db8e3c9a824a814e768@&#8203;%3Cdev.maven.apache.org%3E) - [https://lists.apache.org/thread.html/00571f362a7a2470fba50a31282c65637c40d2e21ebe6ee535a4ed74@&#8203;%3Ccommits.maven.apache.org%3E](https://lists.apache.org/thread.html/00571f362a7a2470fba50a31282c65637c40d2e21ebe6ee535a4ed74@&#8203;%3Ccommits.maven.apache.org%3E) - [https://ihacktoprotect.com/post/dom4j-xml-injection](https://ihacktoprotect.com/post/dom4j-xml-injection) - [https://github.com/dom4j/dom4j](https://togithub.com/dom4j/dom4j) - [https://github.com/advisories/GHSA-6pcc-3rfx-4gpm](https://togithub.com/advisories/GHSA-6pcc-3rfx-4gpm) - [https://access.redhat.com/errata/RHSA-2019:3172](https://access.redhat.com/errata/RHSA-2019:3172) - [https://access.redhat.com/errata/RHSA-2019:1162](https://access.redhat.com/errata/RHSA-2019:1162) - [https://access.redhat.com/errata/RHSA-2019:1161](https://access.redhat.com/errata/RHSA-2019:1161) - [https://access.redhat.com/errata/RHSA-2019:1160](https://access.redhat.com/errata/RHSA-2019:1160) - [https://access.redhat.com/errata/RHSA-2019:1159](https://access.redhat.com/errata/RHSA-2019:1159) - [https://access.redhat.com/errata/RHSA-2019:0380](https://access.redhat.com/errata/RHSA-2019:0380) - [https://access.redhat.com/errata/RHSA-2019:0365](https://access.redhat.com/errata/RHSA-2019:0365) - [https://access.redhat.com/errata/RHSA-2019:0364](https://access.redhat.com/errata/RHSA-2019:0364) - [https://access.redhat.com/errata/RHSA-2019:0362](https://access.redhat.com/errata/RHSA-2019:0362) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-6pcc-3rfx-4gpm) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### dom4j allows External Entities by default which might enable XXE attacks [CVE-2020-10683](https://nvd.nist.gov/vuln/detail/CVE-2020-10683) / [GHSA-hwj3-m3p6-hj38](https://togithub.com/advisories/GHSA-hwj3-m3p6-hj38) <details> <summary>More information</summary> #### Details dom4j before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j. Note: This advisory applies to `dom4j:dom4j` version 1.x legacy artifacts. To resolve this a change to the latest version of `org.dom4j:dom4j` is recommended. #### Severity - CVSS Score: 9.8 / 10 (Critical) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2020-10683](https://nvd.nist.gov/vuln/detail/CVE-2020-10683) - [https://github.com/dom4j/dom4j/issues/87](https://togithub.com/dom4j/dom4j/issues/87) - [https://github.com/dom4j/dom4j/commit/1707bf3d898a8ada3b213acb0e3b38f16eaae73d](https://togithub.com/dom4j/dom4j/commit/1707bf3d898a8ada3b213acb0e3b38f16eaae73d) - [https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658](https://togithub.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658) - [https://www.oracle.com/security-alerts/cpuoct2021.html](https://www.oracle.com/security-alerts/cpuoct2021.html) - [https://www.oracle.com/security-alerts/cpuoct2020.html](https://www.oracle.com/security-alerts/cpuoct2020.html) - [https://www.oracle.com/security-alerts/cpujul2022.html](https://www.oracle.com/security-alerts/cpujul2022.html) - [https://www.oracle.com/security-alerts/cpujul2020.html](https://www.oracle.com/security-alerts/cpujul2020.html) - [https://www.oracle.com/security-alerts/cpujan2022.html](https://www.oracle.com/security-alerts/cpujan2022.html) - [https://www.oracle.com/security-alerts/cpujan2021.html](https://www.oracle.com/security-alerts/cpujan2021.html) - [https://www.oracle.com/security-alerts/cpuApr2021.html](https://www.oracle.com/security-alerts/cpuApr2021.html) - [https://www.oracle.com//security-alerts/cpujul2021.html](https://www.oracle.com//security-alerts/cpujul2021.html) - [https://usn.ubuntu.com/4575-1](https://usn.ubuntu.com/4575-1) - [https://security.netapp.com/advisory/ntap-20200518-0002](https://security.netapp.com/advisory/ntap-20200518-0002) - [https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51@&#8203;%3Cnotifications.freemarker.apache.org%3E](https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51@&#8203;%3Cnotifications.freemarker.apache.org%3E) - [https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32@&#8203;%3Cdev.velocity.apache.org%3E](https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32@&#8203;%3Cdev.velocity.apache.org%3E) - [https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8@&#8203;%3Cdev.velocity.apache.org%3E](https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8@&#8203;%3Cdev.velocity.apache.org%3E) - [https://github.com/dom4j/dom4j/releases/tag/version-2.1.3](https://togithub.com/dom4j/dom4j/releases/tag/version-2.1.3) - [https://github.com/dom4j/dom4j/commits/version-2.0.3](https://togithub.com/dom4j/dom4j/commits/version-2.0.3) - [https://github.com/dom4j/dom4j](https://togithub.com/dom4j/dom4j) - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html) - [https://bugzilla.redhat.com/show_bug.cgi?id=1694235](https://bugzilla.redhat.com/show_bug.cgi?id=1694235) - [http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html](http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-hwj3-m3p6-hj38) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled because a matching PR was automerged previously. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/antville/helma). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zNjMuNSIsInVwZGF0ZWRJblZlciI6IjM3LjM2My41IiwidGFyZ2V0QnJhbmNoIjoiaGVsbWEt8J+QnCIsImxhYmVscyI6WyJtYWpvciIsInJ1bnRpbWUiLCJzZWN1cml0eSIsInVyZ2VudCJdfQ==-->

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

blocker

  

core

  

dependency

Pull request that updates a dependency file

  

major

  

needs-work

  

runtime

  

security

  

urgent

No labels

blocker

core

dependency

major

needs-work

runtime

security

urgent

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: antville/helma#101

No description provided.