CVE-2014-0054 — Cross-Site Request Forgery in Vmware Spring Framework

CWE-352 — Cross-Site Request Forgery8 documents7 sources

Severity

6.8MEDIUMNVD

EPSS

2.5%

top 14.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vmware Spring Framework Springsource Spring Framework

Timeline

PublishedApr 17

Latest updateMay 13

Description

The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages2 packages

▶NVDvmware/spring_framework3.2.7+13

▶NVDspringsource/spring_framework12 versions+11

🔴Vulnerability Details

GHSA

Cross-Site Request Forgery in Spring Framework↗2022-05-13

▶

OSV

Cross-Site Request Forgery in Spring Framework↗2022-05-13

▶

CVEList

CVE-2014-0054: The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3↗2014-04-17

▶

OSV

CVE-2014-0054: The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3↗2014-04-17

▶

📋Vendor Advisories

Red Hat

Framework: incomplete fix for CVE-2013-7315/CVE-2013-6429↗2014-01-31

▶

Debian

CVE-2014-0054: libspring-java - The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework befor...↗2014

▶

💬Community

Bugzilla

CVE-2014-0054 Spring Framework: incomplete fix for CVE-2013-7315/CVE-2013-6429↗2014-03-12

▶