6.8

CVE-2014-0054

The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
SpringsourceSpring Framework Version3.0.0
SpringsourceSpring Framework Version3.0.0 Updatem1
SpringsourceSpring Framework Version3.0.0 Updatem2
SpringsourceSpring Framework Version3.0.0 Updatem3
SpringsourceSpring Framework Version3.0.0 Updatem4
SpringsourceSpring Framework Version3.0.0 Updaterc1
SpringsourceSpring Framework Version3.0.0 Updaterc2
SpringsourceSpring Framework Version3.0.0 Updaterc3
SpringsourceSpring Framework Version3.0.0.m1
SpringsourceSpring Framework Version3.0.0.m2
SpringsourceSpring Framework Version3.0.1
SpringsourceSpring Framework Version3.0.2
SpringsourceSpring Framework Version3.0.3
SpringsourceSpring Framework Version3.0.4
SpringsourceSpring Framework Version3.0.5
SpringsourceSpring Framework Version3.2.5
SpringsourceSpring Framework Version3.2.6
SpringsourceSpring Framework Version4.0.0 Updaterc1
SpringsourceSpring Framework Version4.0.1
VMwareSpring Framework Version <= 3.2.7
VMwareSpring Framework Version3.0.6
VMwareSpring Framework Version3.0.7
VMwareSpring Framework Version3.1.0
VMwareSpring Framework Version3.1.1
VMwareSpring Framework Version3.1.2
VMwareSpring Framework Version3.1.3
VMwareSpring Framework Version3.1.4
VMwareSpring Framework Version3.2.0
VMwareSpring Framework Version3.2.1
VMwareSpring Framework Version3.2.2
VMwareSpring Framework Version3.2.3
VMwareSpring Framework Version3.2.4
VMwareSpring Framework Version4.0.0 Updatemilestone1
VMwareSpring Framework Version4.0.0 Updatemilestone2
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 91.35% 0.998
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.8 8.6 6.4
AV:N/AC:M/Au:N/C:P/I:P/A:P
CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
http://rhn.redhat.com/errata/RHSA-2014-0400.html
http://secunia.com/advisories/57915
Vendor Advisory
http://www.securityfocus.com/bid/66148
https://jira.spring.io/browse/SPR-11376
Vendor Advisory