CVE-2014-3630XML External Entity (XXE) Injection in Play Framework

CWE-611XML External Entity (XXE) Injection2 documents2 sources
Severity
9.8CRITICALNVD
EPSS
0.7%
top 27.76%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Lightbend Play FrameworkPlayframework Play Framework
Timeline
PublishedDec 29
Latest updateMay 13

Description

XML external entity (XXE) vulnerability in the Java XML processing functionality in Play before 2.2.6 and 2.3.x before 2.3.5 might allow remote attackers to read arbitrary files, cause a denial of service, or have unspecified other impact via crafted XML data.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

NVDlightbend/play_framework8 versions+7

🔴Vulnerability Details

1
GHSA
GHSA-xpw4-hqm8-rj97: XML external entity (XXE) vulnerability in the Java XML processing functionality in Play before 22022-05-13
CVE-2014-3630 — XML External Entity (XXE) Injection | cvebase