Skip to first unread message
admin
Jul 30, 2020, 11:38:33 AM7/30/20
to css4j
CVE-2020-10683 was issued regarding that "dom4j allows External Entities by default which might enable XXE attacks":
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10683
- https://nvd.nist.gov/vuln/detail/CVE-2020-10683
- https://github.com/advisories/GHSA-hwj3-m3p6-hj38
The claimed vulnerable versions are "dom4j before 2.0.3 and 2.1.x before 2.1.3". However, there is no evidence that 2.1.1 is vulnerable. The relevant dom4j issue:
claims that:
The constructornew org.dom4j.io.SAXReader()calls one of the factory method form Java runtime library –org.xml.sax.helpers.XMLReaderFactory.createXMLReader()orjavax.xml.parsers.SAXParserFactory.newInstance().newSAXParser(). These factory methods do not have safe defaults, such as downloading external entities.
Create the new factory methodorg.dom4j.io.SAXReader.createDefault()which overrides Java runtime library defaults and sets...
However, I wrote two tests that prove 2.1.1 to have the intended defaults for the following usage patterns:
- Using the
SAXReader()default constructor (which is the use case pointed out above). - Parsing with
DocumentHelper.parseText(String).
dom4j 2.0.2 was indeed vulnerable, and 2.0.3 is not. But there is no evidence that 2.1.1 has less secure defaults than 2.1.3 (those defaults happen to ruin entity processing, but that's another issue). And in fact 2.1.3 is applying the same defaults twice.
Unless there is specific evidence about 2.1.1 being vulnerable, my opinion is that the claim in CVE-2020-10683 about dom4j 2.1.1 being affected is bogus. Meanwhile, 2.1.3 still has weak spots like the following SAXReader constructors:
SAXReader(String)
SAXReader(String, boolean)
which lead to a vulnerable XMLReader being used.
Reply all
Reply to author
Forward
0 new messages