CVE-2015-3192

CWE-119 — Buffer Overflow CWE-20 — Improper Input Validation11 documents8 sources

Severity

5.5MEDIUM

EPSS

1.4%

top 19.74%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fedoraproject Fedora Pivotal Software Spring Framework Vmware Spring Framework

Timeline

PublishedJul 12

Latest updateMar 17

Description

Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages5 packages

▶NVDpivotal_software/spring_framework3.2.0, 4.1.0+1

▶Mavenorg.springframework:spring-web4.0.0 — 4.1.7+2

▶NVDvmware/spring_framework19 versions+18

▶Debianlibspring-java< 4.1.9-1+3

▶Ubuntulibspring-java< 3.0.6.RELEASE-13ubuntu0.1~esm2+1

Also affects: Fedora 21, 22

🔴Vulnerability Details

OSV

libspring-java vulnerabilities↗2021-03-17

▶

GHSA

Pivotal Spring Framework DoS Attack with XML Input↗2018-10-17

▶

OSV

Pivotal Spring Framework DoS Attack with XML Input↗2018-10-17

▶

OSV

CVE-2015-3192: Pivotal Spring Framework before 3↗2016-07-12

▶

CVEList

CVE-2015-3192: Pivotal Spring Framework before 3↗2016-07-12

▶

📋Vendor Advisories

Ubuntu

Spring Framework vulnerabilities↗2021-03-17

▶

Red Hat

Framework: denial-of-service attack with XML input↗2015-06-30

▶

Debian

CVE-2015-3192: libspring-java - Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly proc...↗2015

▶

💬Community

Bugzilla

CVE-2015-3192 Spring Framework: denial-of-service attack with XML input↗2015-07-03

▶

Bugzilla

CVE-2015-3192 springframework: Spring Framework: denial-of-service attack with XML input [fedora-all]↗2015-07-03

▶