Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1ocXc1LTYyZ3AtcnFnbc4AAdHE
Exposure of Sensitive Information to an Unauthorized Actor in Direct Web Remoting
The (1) DOMConverter, (2) JDOMConverter, (3) DOM4JConverter, and (4) XOMConverter functions in Direct Web Remoting (DWR) through 2.0.10 and 3.x through 3.0.RC2 allow remote attackers to read arbitrary files via DOM data containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Permalink: https://github.com/advisories/GHSA-hqw5-62gp-rqgmJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ocXc1LTYyZ3AtcnFnbc4AAdHE
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: over 1 year ago
Identifiers: GHSA-hqw5-62gp-rqgm, CVE-2014-5325
References:
- https://nvd.nist.gov/vuln/detail/CVE-2014-5325
- http://jvn.jp/en/jp/JVN91502163/index.html
- http://jvndb.jvn.jp/jvndb/JVNDB-2014-000117
- https://github.com/advisories/GHSA-hqw5-62gp-rqgm
Affected Packages
maven:org.directwebremoting:dwr
Dependent packages: 70Dependent repositories: 1,772
Downloads:
Affected Version Ranges: >= 3.0.M1, <= 3.0.RC2, < 2.0.11
Fixed in: 3.0.RC3, 2.0.11
All affected versions: 2.0.8, 2.0.9, 2.0.10
All unaffected versions: