dom4j-1.6.1-33.6 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10724-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z dom4j-1.6.1-33.6 on GA media These are all security issues fixed in the dom4j-1.6.1-33.6 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10724 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2018-1000632/ SUSE CVE CVE-2018-1000632 page https://www.suse.com/security/cve/CVE-2020-10683/ SUSE CVE CVE-2020-10683 page openSUSE Tumbleweed dom4j-1.6.1-33.6 dom4j-demo-1.6.1-33.6 dom4j-javadoc-1.6.1-33.6 dom4j-manual-1.6.1-33.6 dom4j-1.6.1-33.6 as a component of openSUSE Tumbleweed dom4j-demo-1.6.1-33.6 as a component of openSUSE Tumbleweed dom4j-javadoc-1.6.1-33.6 as a component of openSUSE Tumbleweed dom4j-manual-1.6.1-33.6 as a component of openSUSE Tumbleweed dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later. CVE-2018-1000632 openSUSE Tumbleweed:dom4j-1.6.1-33.6 openSUSE Tumbleweed:dom4j-demo-1.6.1-33.6 openSUSE Tumbleweed:dom4j-javadoc-1.6.1-33.6 openSUSE Tumbleweed:dom4j-manual-1.6.1-33.6 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-1000632.html CVE-2018-1000632 https://bugzilla.suse.com/1105443 SUSE Bug 1105443 dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j. CVE-2020-10683 openSUSE Tumbleweed:dom4j-1.6.1-33.6 openSUSE Tumbleweed:dom4j-demo-1.6.1-33.6 openSUSE Tumbleweed:dom4j-javadoc-1.6.1-33.6 openSUSE Tumbleweed:dom4j-manual-1.6.1-33.6 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-10683.html CVE-2020-10683 https://bugzilla.suse.com/1169760 SUSE Bug 1169760