CVE-2014-0225
published 2017-05-25CVE-2014-0225: When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by…
high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.
Affected
34 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libspring-java | < libspring-java 3.0.6.RELEASE-14 (bookworm) | libspring-java 3.0.6.RELEASE-14 (bookworm) |
| pivotal | spring_framework | — | — |
| pivotal | spring_framework | — | — |
| pivotal | spring_framework | — | — |
| pivotal_software | spring_framework | — | — |
| pivotal_software | spring_framework | — | — |
| pivotal_software | spring_framework | — | — |
| pivotal_software | spring_framework | — | — |
| vmware | spring_framework | — | — |
| vmware | spring_framework | — | — |
| vmware | spring_framework | — | — |
| vmware | spring_framework | — | — |
| vmware | spring_framework | — | — |
| vmware | spring_framework | — | — |
| vmware | spring_framework | — | — |
| vmware | spring_framework | — | — |
| vmware | spring_framework | — | — |
| vmware | spring_framework | — | — |
| vmware | spring_framework | — | — |
| vmware | spring_framework | — | — |
| vmware | spring_framework | — | — |
| vmware | spring_framework | — | — |
| vmware | spring_framework | — | — |
| vmware | spring_framework | — | — |
| vmware | spring_framework | — | — |
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH