Dom4j raise up a CVE


Hello everybody,

the transitive dependency dom4j 1.6.1 has a CVE, which is used by hibernate core (see
I noticed that the version is very old (year 2006). Why is not the latest org.dom4j 2.x.x used?
The newest version 2.1.1 has this CVE too, but i hope in the next version it will be fixed.

Thanks and cheers


EDIT: The dom4j 2.1.1 fixed this issue


Thanks for the heads up. Please create a Jira issue for this. Thanks.






Thanks for the issue and Pull Request.


I cannot comment to JIRA tickets, so I’ll try here. Can this be merged back to 5.2, 5.1 and 5.0? I am depending on 5.0 because of … political reasons (my team is not controlling the Spring version used).


Related to merging, you need to talk to @gbadner as she decides what is to be merged on those branches.


Thanks for the tip! :pray:

Edit: I’m quite a noob with this Discourse stuff - I thought there were private messages here.

@gbadner Can we see this issue fixed in the previous Hibernate versions too? I am particularly interested in 5.0.x branch, since my team cannot change Spring versions, we have (for the time being) remain on 5.0.x branch.


Try also via HipChat. You can find more details on the Community page. It might be that you get your answer faster on HipChat.