Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2014-3004XML External Entity (XXE) Injection in Project Castor

CWE-611XML External Entity (XXE) Injection10 documents8 sources
Severity
4.3MEDIUMNVD
EPSS
3.6%
top 12.16%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
3
Castor Project CastorOpensuseOpensuse Project Opensuse
Timeline
PublishedJun 11
Latest updateMay 13

Description

The default configuration for the Xerces SAX Parser in Castor before 1.3.3 allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XML document.

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

🔴Vulnerability Details

4
OSV
Improper Restriction of XML External Entity Reference in Castor2022-05-13
GHSA
Improper Restriction of XML External Entity Reference in Castor2022-05-13
OSV
CVE-2014-3004: The default configuration for the Xerces SAX Parser in Castor before 12014-06-11
CVEList
CVE-2014-3004: The default configuration for the Xerces SAX Parser in Castor before 12014-06-11

💥Exploits & PoCs

1
Exploit-DB
Castor Library - XML External Entity Information Disclosure2014-05-27

📋Vendor Advisories

2
Oracle
Oracle Oracle Utilities Applications Risk Matrix: Common (Castor) — CVE-2014-30042020-01-15
Red Hat
castor: XML External Entity (XXE) attacks via a crafted XML document2014-05-27

💬Community

2
Bugzilla
CVE-2014-3004 castor: XML External Entity (XXE) attacks via a crafted XML document2014-06-12
Bugzilla
CVE-2014-3004 castor: XML External Entity (XXE) attacks via a crafted XML document [fedora-all]2014-06-12
CVE-2014-3004 — XML External Entity (XXE) Injection | cvebase