[jboss-jira] [JBoss JIRA] (WFLY-13380) Upgrade dom4j from 2.1.1 to 2.1.3

Radoslav Ivanov (Jira) issues at jboss.org
Wed May 13 19:35:50 EDT 2020 

    [ https://issues.redhat.com/browse/WFLY-13380?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14092416#comment-14092416 ] 

Radoslav Ivanov edited comment on WFLY-13380 at 5/13/20 7:35 PM:
-----------------------------------------------------------------

[~brian.stansberry], [~smarlow], there is a critical CVE-2020-10683 reported for dom4j-2.1.1, which is available on previous versions of WildFly. It could be mitigated by "enabling safe bahavior":

{code:java}
dom4j before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j. 
{code}

Could you please provide a note/instruction on how we can apply/mitigate on existing older versions of WildFly?


was (Author: rady66):
[~brian.stansberry], there is a critical CVE-2020-10683 reported for dom4j-2.1.1, which is available on previous versions of WildFly. It could be mitigated by "enabling safe bahavior":

{code:java}
dom4j before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j. 
{code}

Could you please provide a note/instruction on how we can apply/mitigate on existing older versions of WildFly?

> Upgrade dom4j from 2.1.1 to 2.1.3
> ---------------------------------
>
>                 Key: WFLY-13380
>                 URL: https://issues.redhat.com/browse/WFLY-13380
>             Project: WildFly
>          Issue Type: Component Upgrade
>          Components: JPA / Hibernate
>            Reporter: Brian Stansberry
>            Assignee: Brian Stansberry
>            Priority: Major
>              Labels: downstream_dependency
>             Fix For: 19.1.0.Final, 20.0.0.Beta1
>
>
> https://github.com/dom4j/dom4j/compare/version-2.1.1...version-2.1.3



--
This message was sent by Atlassian Jira
(v7.13.8#713008)

More information about the jboss-jira mailing list