Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1mOTNmLWczM3ItOHBjcM3o4A
Improper Restriction of XML External Entity Reference in Spring Framework
When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.
Permalink: https://github.com/advisories/GHSA-f93f-g33r-8pcpJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mOTNmLWczM3ItOHBjcM3o4A
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: about 2 months ago
CVSS Score: 8.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Identifiers: GHSA-f93f-g33r-8pcp, CVE-2014-0225
References:
- https://nvd.nist.gov/vuln/detail/CVE-2014-0225
- https://pivotal.io/security/cve-2014-0225
- https://github.com/spring-projects/spring-framework/commit/8e096aeef55287dc829484996c9330cf755891a1
- https://github.com/spring-projects/spring-framework/commit/c6503ebbf7c9e21ff022c58706dbac5417b2b5eb
- https://jira.spring.io/browse/SPR-11768
- https://github.com/spring-projects/spring-framework/commit/44ee51a6c9c3734b3fcf9a20817117e86047d753
- https://github.com/advisories/GHSA-f93f-g33r-8pcp
Blast Radius: 47.1
Affected Packages
maven:org.springframework:spring-webmvc
Dependent packages: 4,621Dependent repositories: 227,195
Downloads:
Affected Version Ranges: >= 3.0.0, < 3.2.8, >= 4.0.0, < 4.0.5
Fixed in: 3.2.8, 4.0.5
All affected versions:
All unaffected versions: 1.0.1, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.2.9, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.3.7, 5.3.8, 5.3.9, 5.3.10, 5.3.11, 5.3.12, 5.3.13, 5.3.14, 5.3.15, 5.3.16, 5.3.17, 5.3.18, 5.3.19, 5.3.20, 5.3.21, 5.3.22, 5.3.23, 5.3.24, 5.3.25, 5.3.26, 5.3.27, 5.3.28, 5.3.29, 5.3.30, 5.3.31, 5.3.32, 5.3.33, 5.3.34, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.0.16, 6.0.17, 6.0.18, 6.0.19, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6