Versio.io

CVE-2014-0054

Common vulnerabilities & exposures (CVE)

CVE databaseCVE database blogpostRelease & EoL database
 
Published at: - 17-04-2014 04:55
Last modified: - 11-04-2022 07:36
Total changes: - 2

Description

The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.

Common Vulnerability Scoring System (CVSS)

AV:N/AC:M/Au:N/C:P/I:P/A:P
Low
Attack complexity
Network
Attack vector
Low
Availability
Low
Confidentiality
Low
Integrity
-
Privileges required
-
Scope
-
User interaction
6.8
Base score
8.6
6.4
Exploitability score
Impact score
 

Verification logic

OR
vendor=springsource AND product=spring_framework AND version=3.2.6
vendor=springsource AND product=spring_framework AND version=3.2.5
vendor=vmware AND product=spring_framework AND version=3.1.2
vendor=vmware AND product=spring_framework AND version=3.1.1
vendor=springsource AND product=spring_framework AND version=3.0.2
vendor=vmware AND product=spring_framework AND version=4.0.0 AND update=milestone2
vendor=springsource AND product=spring_framework AND version=4.0.0 AND update=rc1
vendor=vmware AND product=spring_framework AND version=3.2.2
vendor=vmware AND product=spring_framework AND version=3.2.1
vendor=vmware AND product=spring_framework AND version=3.0.6
vendor=springsource AND product=spring_framework AND version=3.0.5
vendor=springsource AND product=spring_framework AND version=3.0.0 AND update=rc3
vendor=springsource AND product=spring_framework AND version=3.0.0 AND update=rc2
vendor=vmware AND product=spring_framework AND version=4.0.0 AND update=milestone1
vendor=vmware AND product=spring_framework AND version=3.2.4
vendor=vmware AND product=spring_framework AND version=3.2.3
vendor=vmware AND product=spring_framework AND version=3.1.0
vendor=vmware AND product=spring_framework AND version=3.0.7
vendor=springsource AND product=spring_framework AND version=3.0.0.m2
vendor=springsource AND product=spring_framework AND version=3.0.0.m1
vendor=springsource AND product=spring_framework AND version=3.0.0 AND update=m1
vendor=springsource AND product=spring_framework AND version=3.0.0
vendor=springsource AND product=spring_framework AND version=4.0.1
vendor=vmware AND product=spring_framework AND versionEndIncluding=3.2.7
vendor=vmware AND product=spring_framework AND version=3.2.0
vendor=vmware AND product=spring_framework AND version=3.1.4
vendor=vmware AND product=spring_framework AND version=3.1.3
vendor=springsource AND product=spring_framework AND version=3.0.4
vendor=springsource AND product=spring_framework AND version=3.0.3
vendor=springsource AND product=spring_framework AND version=3.0.0 AND update=rc1
vendor=springsource AND product=spring_framework AND version=3.0.0 AND update=m4
vendor=springsource AND product=spring_framework AND version=3.0.1
vendor=springsource AND product=spring_framework AND version=3.0.0 AND update=m3
vendor=springsource AND product=spring_framework AND version=3.0.0 AND update=m2
 

Reference

 


Keywords

NVD

 

CVE-2014-0054

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures

 

We use cookies to ensure that we give you the best experience on our website. Read privacy policies for more information.