CVE-2014-0225 — XML External Entity (XXE) Injection in Spring Framework

CWE-611 — XML External Entity (XXE) Injection10 documents8 sources

Severity

8.8HIGHNVD

EPSS

0.2%

top 53.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pivotal Spring Framework Pivotal Software Spring Framework Vmware Spring Framework

Timeline

PublishedMay 25

Latest updateMay 13

Description

When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶NVDvmware/spring_framework26 versions+25

▶CVEListV5pivotal/spring_framework3.0.0 to 3.2.8, 4.0.0 to 4.0.4, Earlier unsupported versions may be affected+2

▶NVDpivotal_software/spring_framework4 versions+3

🔴Vulnerability Details

OSV

Improper Restriction of XML External Entity Reference in Spring Framework↗2022-05-13

▶

GHSA

Improper Restriction of XML External Entity Reference in Spring Framework↗2022-05-13

▶

CVEList

CVE-2014-0225: When processing user provided XML documents, the Spring Framework 4↗2017-05-25

▶

OSV

CVE-2014-0225: When processing user provided XML documents, the Spring Framework 4↗2017-05-25

▶

📋Vendor Advisories

Ubuntu

Spring Framework vulnerabilities↗2021-03-17

▶

Red Hat

Framework: Information disclosure via SSRF↗2014-05-28

▶

Debian

CVE-2014-0225: libspring-java - When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4...↗2014

▶

💬Community

Bugzilla

CVE-2014-0225 Spring Framework: Information disclosure via SSRF↗2014-06-17

▶

Bugzilla

CVE-2014-0225 springframework: Spring Framework: Information disclosure via SSRF [fedora-all]↗2014-06-17

▶