Vulnerable Library - dom4j-2.1.0.jar flexible XML framework for Java Library home page: http://dom4j.github.io/ Path to dependency file: /pom.xml Path to vulnerable library: /home/wss-scanner/.m2/repository/org/dom4j/dom4j/2.1.0/dom4j-2.1.0.jar ## Vulnerabilities | Vulnerability | Severity | CVSS | Exploit Maturity | EPSS | Dependency | Type | Fixed in (dom4j version) | Remediation Possible** | Reachability | | ------------- | ------------- | ----- | ----- | ----- | ----- | ----- | ------------- | --- | --- | | [CVE-2018-1000632](https://www.mend.io/vulnerability-database/CVE-2018-1000632) | High | 7.5 | Not Defined | 1.6% | dom4j-2.1.0.jar | Direct | org.dom4j:dom4j:2.0.3 | ✅| Reachable | **In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation ## Details CVE-2018-1000632 ### Vulnerable Library - dom4j-2.1.0.jar flexible XML framework for Java Library home page: http://dom4j.github.io/ Path to dependency file: /pom.xml Path to vulnerable library: /home/wss-scanner/.m2/repository/org/dom4j/dom4j/2.1.0/dom4j-2.1.0.jar Dependency Hierarchy: - :x: **dom4j-2.1.0.jar** (Vulnerable Library) Found in base branch: master ### Reachability Analysis This vulnerability is potentially reachable ``` org.joychou.controller.XXE (Application) -> org.dom4j.DocumentHelper (Extension) -> ❌ org.dom4j.NodeFilter (Vulnerable Component) ``` ### Vulnerability Details dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later. Publish Date: 2018-08-20 URL: CVE-2018-1000632 ### Threat Assessment Exploit Maturity: Not Defined EPSS: 1.6% ### CVSS 3 Score Details (7.5) Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None For more information on CVSS3 Scores, click here. ### Suggested Fix Type: Upgrade version Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000632/ Release Date: 2018-08-20 Fix Resolution: org.dom4j:dom4j:2.0.3 In order to enable automatic remediation, please create workflow rules *** In order to enable automatic remediation for this issue, please create workflow rules