PublicDateAtUSN: 2018-08-20 19:31:00 UTC
Candidate: CVE-2018-1000632
PublicDate: 2018-08-20 19:31:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000632
 https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387
 https://github.com/dom4j/dom4j/issues/48
 https://ihacktoprotect.com/post/dom4j-xml-injection/
 https://ubuntu.com/security/notices/USN-4619-1
Description:
 dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection
 vulnerability in Class: Element. Methods: addElement, addAttribute that can
 result in an attacker tampering with XML documents through XML injection.
 This attack appear to be exploitable via an attacker specifying attributes
 or elements in the XML document. This vulnerability appears to have been
 fixed in 2.1.1 or later.
Ubuntu-Description:
Notes:
Bugs:
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N [7.5 HIGH]
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N [7.5 HIGH]


Patches_dom4j:
upstream_dom4j: released (2.1.1)
precise/esm_dom4j: DNE
trusty_dom4j: ignored (out of standard support)
trusty/esm_dom4j: ignored (not in esm-main list)
xenial_dom4j: released (1.6.1+dfsg.3-2ubuntu1.2)
bionic_dom4j: needed
cosmic_dom4j: released (2.1.1-1)
disco_dom4j: released (2.1.1-1)
eoan_dom4j: released (2.1.1-1)
focal_dom4j: released (2.1.1-1)
groovy_dom4j: released (2.1.1-1)
hirsute_dom4j: released (2.1.1-1)
impish_dom4j: released (2.1.1-1)
jammy_dom4j: released (2.1.1-1)
devel_dom4j: released (2.1.1-1)