CVE-2014-0225
UNKNOWN
Published 2017-05-25T17:00:00
Actions:
Expert Analysis
Professional remediation guidance
Get tailored security recommendations from our analyst team for CVE-2014-0225. We'll provide specific mitigation strategies based on your environment and risk profile.
No CVSS data available
Description
When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.
Available Exploits
No exploits available for this CVE.
Related News
No news articles found for this CVE.
Affected Products
GitHub Security Advisories
Community-driven vulnerability intelligence from GitHub
✓ GitHub Reviewed
HIGH
Improper Restriction of XML External Entity Reference in Spring Framework
GHSA-f93f-g33r-8pcpAdvisory Details
When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.
Affected Packages
Maven
org.springframework:spring-webmvc
ECOSYSTEM:
≥4.0.0
<4.0.5
Maven
org.springframework:spring-webmvc
ECOSYSTEM:
≥3.0.0
<3.2.8
CVSS Scoring
CVSS Score
7.5
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References
WEB
https://github.com/spring-projects/spring-framework/commit/44ee51a6c9c3734b3fcf9a20817117e86047d753
WEB
https://github.com/spring-projects/spring-framework/commit/8e096aeef55287dc829484996c9330cf755891a1
Advisory provided by GitHub Security Advisory Database. Published: May 13, 2022, Modified: February 27, 2024
References
Published: 2017-05-25T17:00:00
Last Modified: 2024-08-06T09:05:39.298Z
Copied to clipboard!