Lucene search

[email protected]CVE-2014-0054

HistoryApr 17, 2014 - 2:55 p.m.

CVE-2014-0054

2014-04-1714:55:06

CWE-352

[email protected]

web.nvd.nist.gov

cve-2014-0054

jaxb2rootelementhttpmessageconverter

spring mvc

spring framework

xml

xxe

csrf

nvd

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

7.2 High

AI Score

Confidence

Low

0.937 High

EPSS

Percentile

99.1%

JSON

The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.

Affected configurations

NVD

Node

springsourcespring_frameworkMatch3.0.0

springsourcespring_frameworkMatch3.0.0m1

springsourcespring_frameworkMatch3.0.0m2

springsourcespring_frameworkMatch3.0.0m3

springsourcespring_frameworkMatch3.0.0m4

springsourcespring_frameworkMatch3.0.0rc1

springsourcespring_frameworkMatch3.0.0rc2

springsourcespring_frameworkMatch3.0.0rc3

springsourcespring_frameworkMatch3.0.0.m1

springsourcespring_frameworkMatch3.0.0.m2

springsourcespring_frameworkMatch3.0.1

springsourcespring_frameworkMatch3.0.2

springsourcespring_frameworkMatch3.0.3

springsourcespring_frameworkMatch3.0.4

springsourcespring_frameworkMatch3.0.5

springsourcespring_frameworkMatch3.2.5

springsourcespring_frameworkMatch3.2.6

springsourcespring_frameworkMatch4.0.0rc1

springsourcespring_frameworkMatch4.0.1

vmwarespring_frameworkRange≤3.2.7

vmwarespring_frameworkMatch3.0.6

vmwarespring_frameworkMatch3.0.7

vmwarespring_frameworkMatch3.1.0

vmwarespring_frameworkMatch3.1.1

vmwarespring_frameworkMatch3.1.2

vmwarespring_frameworkMatch3.1.3

vmwarespring_frameworkMatch3.1.4

vmwarespring_frameworkMatch3.2.0

vmwarespring_frameworkMatch3.2.1

vmwarespring_frameworkMatch3.2.2

vmwarespring_frameworkMatch3.2.3

vmwarespring_frameworkMatch3.2.4

vmwarespring_frameworkMatch4.0.0milestone1

vmwarespring_frameworkMatch4.0.0milestone2

CPENameOperatorVersion
springsource:spring_frameworkspringsource spring frameworkeq3.0.0
springsource:spring_frameworkspringsource spring frameworkeq3.0.0.m1
springsource:spring_frameworkspringsource spring frameworkeq3.0.0.m2
springsource:spring_frameworkspringsource spring frameworkeq3.0.1
springsource:spring_frameworkspringsource spring frameworkeq3.0.2
springsource:spring_frameworkspringsource spring frameworkeq3.0.3
springsource:spring_frameworkspringsource spring frameworkeq3.0.4
springsource:spring_frameworkspringsource spring frameworkeq3.0.5
springsource:spring_frameworkspringsource spring frameworkeq3.2.5
springsource:spring_frameworkspringsource spring frameworkeq3.2.6

CPE	Name	Operator	Version
springsource:spring_framework	springsource spring framework	eq	3.0.0
springsource:spring_framework	springsource spring framework	eq	3.0.0.m1
springsource:spring_framework	springsource spring framework	eq	3.0.0.m2
springsource:spring_framework	springsource spring framework	eq	3.0.1
springsource:spring_framework	springsource spring framework	eq	3.0.2
springsource:spring_framework	springsource spring framework	eq	3.0.3
springsource:spring_framework	springsource spring framework	eq	3.0.4
springsource:spring_framework	springsource spring framework	eq	3.0.5
springsource:spring_framework	springsource spring framework	eq	3.2.5
springsource:spring_framework	springsource spring framework	eq	3.2.6