CVE-2014-0054

The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
Advertisement

NeevaHost hosting service

Configurations

Configuration 1 (hide)

OR cpe:2.3:a:springsource:spring_framework:3.2.6:*:*:*:*:*:*:*
cpe:2.3:a:springsource:spring_framework:3.2.5:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:3.1.2:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:3.1.1:*:*:*:*:*:*:*
cpe:2.3:a:springsource:spring_framework:3.0.2:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:4.0.0:milestone2:*:*:*:*:*:*
cpe:2.3:a:springsource:spring_framework:4.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:3.2.2:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:3.2.1:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:3.0.6:*:*:*:*:*:*:*
cpe:2.3:a:springsource:spring_framework:3.0.5:*:*:*:*:*:*:*
cpe:2.3:a:springsource:spring_framework:3.0.0:rc3:*:*:*:*:*:*
cpe:2.3:a:springsource:spring_framework:3.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:4.0.0:milestone1:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:3.2.4:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:3.2.3:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:3.1.0:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:3.0.7:*:*:*:*:*:*:*
cpe:2.3:a:springsource:spring_framework:3.0.0.m2:*:*:*:*:*:*:*
cpe:2.3:a:springsource:spring_framework:3.0.0.m1:*:*:*:*:*:*:*
cpe:2.3:a:springsource:spring_framework:3.0.0:m1:*:*:*:*:*:*
cpe:2.3:a:springsource:spring_framework:3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:springsource:spring_framework:4.0.1:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:3.2.0:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:3.1.4:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:3.1.3:*:*:*:*:*:*:*
cpe:2.3:a:springsource:spring_framework:3.0.4:*:*:*:*:*:*:*
cpe:2.3:a:springsource:spring_framework:3.0.3:*:*:*:*:*:*:*
cpe:2.3:a:springsource:spring_framework:3.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:springsource:spring_framework:3.0.0:m4:*:*:*:*:*:*
cpe:2.3:a:springsource:spring_framework:3.0.1:*:*:*:*:*:*:*
cpe:2.3:a:springsource:spring_framework:3.0.0:m3:*:*:*:*:*:*
cpe:2.3:a:springsource:spring_framework:3.0.0:m2:*:*:*:*:*:*

Information

Published : 2014-04-17 07:55

Updated : 2022-04-11 10:36


NVD link : CVE-2014-0054

Mitre link : CVE-2014-0054


JSON object : View

CWE
CWE-352

Cross-Site Request Forgery (CSRF)

Advertisement

dedicated server usa

Products Affected

springsource

  • spring_framework

vmware

  • spring_framework