CVE-2014-0054

EPSS 34.58%
Published 17.04.2014 14:55:06
Last modified 12.04.2025 10:46:40
Source secalert@redhat.com
Teams watchlist Login
Open Login

The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.

Affected products Warnungen 0 Metrics 2 CWE 1 References 8

Data is provided by the National Vulnerability Database (NVD)

Springsource ≫ Spring Framework Version3.0.0

Springsource ≫ Spring Framework Version3.0.0 Updatem1

Springsource ≫ Spring Framework Version3.0.0 Updatem2

Springsource ≫ Spring Framework Version3.0.0 Updatem3

Springsource ≫ Spring Framework Version3.0.0 Updatem4

Springsource ≫ Spring Framework Version3.0.0 Updaterc1

Springsource ≫ Spring Framework Version3.0.0 Updaterc2

Springsource ≫ Spring Framework Version3.0.0 Updaterc3

Springsource ≫ Spring Framework Version3.0.0.m1

Springsource ≫ Spring Framework Version3.0.0.m2

Springsource ≫ Spring Framework Version3.0.1

Springsource ≫ Spring Framework Version3.0.2

Springsource ≫ Spring Framework Version3.0.3

Springsource ≫ Spring Framework Version3.0.4

Springsource ≫ Spring Framework Version3.0.5

Springsource ≫ Spring Framework Version3.2.5

Springsource ≫ Spring Framework Version3.2.6

Springsource ≫ Spring Framework Version4.0.0 Updaterc1

Springsource ≫ Spring Framework Version4.0.1

VMware ≫ Spring Framework Version <= 3.2.7

VMware ≫ Spring Framework Version3.0.6

VMware ≫ Spring Framework Version3.0.7

VMware ≫ Spring Framework Version3.1.0

VMware ≫ Spring Framework Version3.1.1

VMware ≫ Spring Framework Version3.1.2

VMware ≫ Spring Framework Version3.1.3

VMware ≫ Spring Framework Version3.1.4

VMware ≫ Spring Framework Version3.2.0

VMware ≫ Spring Framework Version3.2.1

VMware ≫ Spring Framework Version3.2.2

VMware ≫ Spring Framework Version3.2.3

VMware ≫ Spring Framework Version3.2.4

VMware ≫ Spring Framework Version4.0.0 Updatemilestone1

VMware ≫ Spring Framework Version4.0.0 Updatemilestone2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	34.58%	0.968

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

http://rhn.redhat.com/errata/RHSA-2014-0400.html

http://secunia.com/advisories/57915

Vendor Advisory

http://www.securityfocus.com/bid/66148

https://jira.spring.io/browse/SPR-11376

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2014-0054

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2014-0054

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2014-0054

EUVD