CVE-2018-1000632: XML Injection (aka Blind XPath Injection)

October 16, 2018 (updated September 8, 2021)

dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.

References

github.com/advisories/GHSA-6pcc-3rfx-4gpm
github.com/dom4j/dom4j/commit/c2a99d7dee8ce7a4e5bef134bb781a6672bd8a0f
github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387
github.com/dom4j/dom4j/issues/48
nvd.nist.gov/vuln/detail/CVE-2018-1000632

Code Behaviors & Features

Detect and mitigate CVE-2018-1000632 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →