High severity7.5NVD Advisory· Published Aug 20, 2018· Updated Jun 17, 2026
CVE-2018-1000632
CVE-2018-1000632
Description
dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.dom4j:dom4jMaven | < 2.0.3 | 2.0.3 |
org.dom4j:dom4jMaven | >= 2.1.0, < 2.1.1 | 2.1.1 |
dom4j:dom4jMaven | <= 1.6.1 | — |
Affected products
8- ghsa-coords8 versionspkg:maven/dom4j/dom4jpkg:maven/org.dom4j/dom4jpkg:rpm/opensuse/dom4j&distro=openSUSE%20Tumbleweedpkg:rpm/suse/dom4j&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2011%20SP4pkg:rpm/suse/dom4j&distro=SUSE%20Manager%20Server%203.0pkg:rpm/suse/dom4j&distro=SUSE%20Manager%20Server%203.1pkg:rpm/suse/dom4j&distro=SUSE%20Manager%20Server%203.2pkg:rpm/suse/dom4j&distro=SUSE%20Package%20Hub%2015
<= 1.6.1+ 7 more
- (no CPE)range: <= 1.6.1
- (no CPE)range: < 2.0.3
- (no CPE)range: < 1.6.1-33.6
- (no CPE)range: < 1.6.1-8.3.8.1
- (no CPE)range: < 1.6.1-27.4.1
- (no CPE)range: < 1.6.1-3.3.2
- (no CPE)range: < 1.6.1-27.4.1
- (no CPE)range: < 1.6.1-bp150.2.3.1
Patches
Vulnerability mechanics
References
45- github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387nvdPatchThird Party AdvisoryWEB
- www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlnvdPatchThird Party AdvisoryWEB
- ihacktoprotect.com/post/dom4j-xml-injection/nvdExploitThird Party Advisory
- access.redhat.com/errata/RHSA-2019:0362nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2019:0364nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2019:0365nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2019:0380nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2019:1159nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2019:1160nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2019:1161nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2019:1162nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2019:3172nvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-6pcc-3rfx-4gpmghsaADVISORY
- github.com/dom4j/dom4j/issues/48nvdThird Party AdvisoryWEB
- lists.debian.org/debian-lts-announce/2018/09/msg00028.htmlnvdMailing ListThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2018-1000632ghsaADVISORY
- security.netapp.com/advisory/ntap-20190530-0001/nvdThird Party Advisory
- www.oracle.com/security-alerts/cpuapr2020.htmlnvdThird Party AdvisoryWEB
- www.oracle.com/security-alerts/cpujul2020.htmlnvdThird Party AdvisoryWEB
- github.com/dom4j/dom4j/commit/c2a99d7dee8ce7a4e5bef134bb781a6672bd8a0fghsaWEB
- ihacktoprotect.com/post/dom4j-xml-injectionghsaWEB
- lists.apache.org/thread.html/00571f362a7a2470fba50a31282c65637c40d2e21ebe6ee535a4ed74@%3Ccommits.maven.apache.org%3EghsaWEB
- lists.apache.org/thread.html/4a77652531d62299a30815cf5f233af183425db8e3c9a824a814e768@%3Cdev.maven.apache.org%3EghsaWEB
- lists.apache.org/thread.html/5a020ecaa3c701f408f612f7ba2ee37a021644c4a39da2079ed3ddbc@%3Ccommits.maven.apache.org%3EghsaWEB
- lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3EghsaWEB
- lists.apache.org/thread.html/7e9e78f0e4288fac6591992836d2a80d4df19161e54bd71ab4b8e458@%3Cdev.maven.apache.org%3EghsaWEB
- lists.apache.org/thread.html/7f6e120e6ed473f4e00dde4c398fc6698eb383bd7857d20513e989ce@%3Cdev.maven.apache.org%3EghsaWEB
- lists.apache.org/thread.html/9d4c1af6f702c3d6d6f229de57112ddccac8ce44446a01b7937ab9e0@%3Ccommits.maven.apache.org%3EghsaWEB
- lists.apache.org/thread.html/d7d960b2778e35ec9b4d40c8efd468c7ce7163bcf6489b633491c89f@%3Cdev.maven.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51@%3Cnotifications.freemarker.apache.org%3EghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOOVVCRQE6ATFD2JM2EMDXOQXTRIVZGPghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KJULAHVR3I5SX7OSMXAG75IMNSAYOXGAghsaWEB
- security.netapp.com/advisory/ntap-20190530-0001ghsaWEB
- www.oracle.com/security-alerts/cpuApr2021.htmlnvdWEB
- lists.apache.org/thread.html/00571f362a7a2470fba50a31282c65637c40d2e21ebe6ee535a4ed74%40%3Ccommits.maven.apache.org%3Envd
- lists.apache.org/thread.html/4a77652531d62299a30815cf5f233af183425db8e3c9a824a814e768%40%3Cdev.maven.apache.org%3Envd
- lists.apache.org/thread.html/5a020ecaa3c701f408f612f7ba2ee37a021644c4a39da2079ed3ddbc%40%3Ccommits.maven.apache.org%3Envd
- lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3Envd
- lists.apache.org/thread.html/7e9e78f0e4288fac6591992836d2a80d4df19161e54bd71ab4b8e458%40%3Cdev.maven.apache.org%3Envd
- lists.apache.org/thread.html/7f6e120e6ed473f4e00dde4c398fc6698eb383bd7857d20513e989ce%40%3Cdev.maven.apache.org%3Envd
- lists.apache.org/thread.html/9d4c1af6f702c3d6d6f229de57112ddccac8ce44446a01b7937ab9e0%40%3Ccommits.maven.apache.org%3Envd
- lists.apache.org/thread.html/d7d960b2778e35ec9b4d40c8efd468c7ce7163bcf6489b633491c89f%40%3Cdev.maven.apache.org%3Envd
- lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51%40%3Cnotifications.freemarker.apache.org%3Envd
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IOOVVCRQE6ATFD2JM2EMDXOQXTRIVZGP/nvd
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJULAHVR3I5SX7OSMXAG75IMNSAYOXGA/nvd
News mentions
0No linked articles in our index yet.