CVE-2020-10683: 
Java vulnerability analysis and mitigation

dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. The vulnerability (CVE-2020-10683) was discovered in March 2020 and fixed in April 2020 with the release of versions 2.0.3 and 2.1.3. This vulnerability affects the XML parsing functionality in dom4j, a flexible XML framework for Java (CVE Details).

The vulnerability exists because dom4j's SAXReader uses system default XMLReader with its defaults, which allows external DTDs and External Entities by default. This configuration could enable XML External Entity (XXE) attacks. While there was popular external documentation from OWASP showing how to enable safe behavior, the default configuration remained vulnerable. The issue was fixed by introducing a new factory method SAXReader.createDefault() which sets more secure defaults by disabling external entity processing (GitHub Commit).

Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). The vulnerability has a CVSS v3.1 base score of 9.8 (CRITICAL) with attack vector: Network, attack complexity: Low, privileges required: None, user interaction: None, scope: Unchanged, and high impact on confidentiality, integrity and availability (NetApp Advisory).

The recommended mitigation is to upgrade to dom4j version 2.0.3 or 2.1.3 or later. For applications that cannot be immediately upgraded, a workaround is to configure the SAXReader to disable external DTDs and entities by setting the following features: http://apache.org/xml/features/nonvalidating/load-external-dtd to false, http://xml.org/sax/features/external-general-entities to false, and http://xml.org/sax/features/external-parameter-entities to false (OWASP Cheat Sheet).

The vulnerability received significant attention from major software vendors and was patched in numerous products that use dom4j. Oracle included fixes in multiple Critical Patch Updates throughout 2020-2021. NetApp, Red Hat, and Ubuntu also released security advisories and patches for affected products (Oracle CPU, Ubuntu Notice).