All the vulnerabilites related to springsource - spring_framework
Vulnerability from fkie_nvd
Published
2009-04-27 22:30
Modified
2024-11-21 01:01
Severity ?
Summary
Algorithmic complexity vulnerability in the java.util.regex.Pattern.compile method in Sun Java Development Kit (JDK) before 1.6, when used with spring.jar in SpringSource Spring Framework 1.1.0 through 2.5.6 and 3.0.0.M1 through 3.0.0.M2 and dm Server 1.0.0 through 1.0.2, allows remote attackers to cause a denial of service (CPU consumption) via serializable data with a long regex string containing multiple optional groups, a related issue to CVE-2004-2540.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sun:jdk:*:update_22:*:*:*:*:*:*",
"matchCriteriaId": "B2BAB703-E024-42CE-B6DF-605A54BF4749",
"versionEndIncluding": "1.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C4C1D605-1FE9-4F1A-A374-CC342CD7310C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "AEBE2903-9C4E-4BBD-AC12-2408BAF42ED8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.1.6:update7:*:*:*:*:*:*",
"matchCriteriaId": "8722DCD3-C7CB-4D79-808E-FBC1E27A0ED7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.1.7b:*:*:*:*:*:*:*",
"matchCriteriaId": "4E48A0E7-9956-4187-952D-4D4DD2F28099",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.1.7b:update5:*:*:*:*:*:*",
"matchCriteriaId": "8A64F606-A1A8-4ABE-9249-0F3D3D02A182",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.1.8:update10:*:*:*:*:*:*",
"matchCriteriaId": "F16BAE28-B7F1-496F-98AC-43DCA387FA45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.1.8:update13:*:*:*:*:*:*",
"matchCriteriaId": "2F99B49A-5A04-4EC8-ABD7-1BEAF620C0DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.1.8:update14:*:*:*:*:*:*",
"matchCriteriaId": "E58C529E-0D46-46A2-A6F3-894ECB215A65",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.1.8:update2:*:*:*:*:*:*",
"matchCriteriaId": "C5D8520B-8B24-444F-A47B-ED0733859954",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.1.8:update7:*:*:*:*:*:*",
"matchCriteriaId": "D6A18370-9054-48F5-8766-D4A15F3A67C1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.1.8:update8:*:*:*:*:*:*",
"matchCriteriaId": "4053D51D-57A9-495F-9B8D-0076661283EC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FF39BD92-7733-4408-A907-D292D973D9CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "07425A23-5BF3-441E-B47A-395BE402B2C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.2.1:update3:*:*:*:*:*:*",
"matchCriteriaId": "38A647E6-2BC2-4E71-96FB-7CA457484CB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.2.2:update4:*:*:*:*:*:*",
"matchCriteriaId": "5B791B1F-D6AA-451D-A415-C2C9BE44865A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.2.2:update5:*:*:*:*:*:*",
"matchCriteriaId": "A4D34197-1500-47C7-848D-676F7592BCD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1AA4DE59-4CF5-49F4-8625-0F3DA2DB7020",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.3.0_01:*:*:*:*:*:*:*",
"matchCriteriaId": "4BC733B9-1694-44E3-BF58-34BABBA4E08B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.3.0_02:*:*:*:*:*:*:*",
"matchCriteriaId": "991AEC76-0494-4085-9427-52D8BDD75753",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.3.0_03:*:*:*:*:*:*:*",
"matchCriteriaId": "12763342-3D3A-4744-941D-4DFD33F79515",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.3.0_04:*:*:*:*:*:*:*",
"matchCriteriaId": "D3E28D80-D908-4F17-BF3D-62C970A4D54B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.3.0_05:*:*:*:*:*:*:*",
"matchCriteriaId": "F0D8BC0C-13B8-472D-A077-F2039A637326",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "15AAA894-90A8-4B08-A392-5CB36ABE6F54",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.3.1:update19:*:*:*:*:*:*",
"matchCriteriaId": "910AF14C-1993-4740-AE6D-77B55B52AC48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.3.1:update20:*:*:*:*:*:*",
"matchCriteriaId": "8C924560-0EF5-4BC0-8614-2DD5616E076A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.3.1_01:*:*:*:*:*:*:*",
"matchCriteriaId": "C09F9315-CE9E-4F20-9E8A-597896057A1B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.3.1_01a:*:*:*:*:*:*:*",
"matchCriteriaId": "88DB55B2-7D7F-4EB8-8E29-7D15F735A286",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.3.1_02:*:*:*:*:*:*:*",
"matchCriteriaId": "38CDFAD5-389F-4F08-AF24-5D8782E86225",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.3.1_03:*:*:*:*:*:*:*",
"matchCriteriaId": "EE962961-9E1D-4164-A11A-0CA6DC4FFBAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.3.1_04:*:*:*:*:*:*:*",
"matchCriteriaId": "6E8244F8-C212-420B-BB12-F58B84B64335",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.3.1_05:*:*:*:*:*:*:*",
"matchCriteriaId": "1E7BB67D-0D40-4C92-8005-C1F876629304",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.3.1_06:*:*:*:*:*:*:*",
"matchCriteriaId": "926B3423-5AB8-4A7C-A83E-5C363A783AF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.3.1_07:*:*:*:*:*:*:*",
"matchCriteriaId": "8F623253-2FF5-4398-AF23-A56F06008301",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.3.1_08:*:*:*:*:*:*:*",
"matchCriteriaId": "A4EE7212-2AF1-4D10-826B-3B6EDDDA6DDE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.3.1_09:*:*:*:*:*:*:*",
"matchCriteriaId": "9B5A02FE-614B-4B8C-AB9A-57F5C32B36A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.3.1_10:*:*:*:*:*:*:*",
"matchCriteriaId": "4E781B3C-EA57-4CA6-9F03-117C52552AEF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.3.1_11:*:*:*:*:*:*:*",
"matchCriteriaId": "1227F19E-5A69-422F-A2E1-5280B1836C94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.3.1_12:*:*:*:*:*:*:*",
"matchCriteriaId": "18FE8DE3-A93A-4884-9131-84715C776545",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.3.1_13:*:*:*:*:*:*:*",
"matchCriteriaId": "BA3D41B2-05C4-4EB5-9124-FFC887A010F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.3.1_14:*:*:*:*:*:*:*",
"matchCriteriaId": "95E09BF6-A2E4-49F3-9E8C-3C7EB5FE782B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.3.1_15:*:*:*:*:*:*:*",
"matchCriteriaId": "BB23A52B-0F6E-4570-9B72-0D07CF26D536",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.3.1_16:*:*:*:*:*:*:*",
"matchCriteriaId": "B0E1566F-1257-428F-8DA9-29DB0DF5D647",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.3.1_17:*:*:*:*:*:*:*",
"matchCriteriaId": "A84080AF-E076-40FD-BDEB-727AAE986AA0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.3.1_18:*:*:*:*:*:*:*",
"matchCriteriaId": "6FD02135-C3C2-4FCC-A85C-353CD321B97A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.3.1_19:*:*:*:*:*:*:*",
"matchCriteriaId": "10ACCA84-F469-401B-A68F-0281E5C2D46E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.3.1_20:*:*:*:*:*:*:*",
"matchCriteriaId": "03B1DA4B-CE36-4828-B10F-8A854CCB368E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.3.1_21:*:*:*:*:*:*:*",
"matchCriteriaId": "55B201EA-49A8-407A-9893-B3988C936D13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.3.1_22:*:*:*:*:*:*:*",
"matchCriteriaId": "DD65ECF9-5495-4F69-B566-C1657473F08B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.3.1_23:*:*:*:*:*:*:*",
"matchCriteriaId": "671EF738-7846-40A0-B070-649F637782F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.3.1_24:*:*:*:*:*:*:*",
"matchCriteriaId": "7714D90D-1BF0-4388-B086-17C6D1BC9D66",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.3.1_25:*:*:*:*:*:*:*",
"matchCriteriaId": "D54C9BE0-9009-41F6-B07F-855358EE5141",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.3.1_26:*:*:*:*:*:*:*",
"matchCriteriaId": "9C144EF3-5228-4338-921E-547902CC6F1B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.3.1_27:*:*:*:*:*:*:*",
"matchCriteriaId": "4F9F5541-983B-42E3-AA7A-988028303B0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.3.1_28:*:*:*:*:*:*:*",
"matchCriteriaId": "0B63DC45-DDDB-4D93-81BC-16893FFF558C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "20C9C594-3DBC-4706-BA88-A662CD28C830",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.4.0_01:*:*:*:*:*:*:*",
"matchCriteriaId": "01E34550-4CA8-4AF1-81CA-BBD5AC53BFB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.4.0_02:*:*:*:*:*:*:*",
"matchCriteriaId": "A5AE3D20-565C-4438-A6B6-8FD87511BD8B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.4.0_03:*:*:*:*:*:*:*",
"matchCriteriaId": "73966143-616D-4CB7-80A9-3CB3F1F455D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.4.0_04:*:*:*:*:*:*:*",
"matchCriteriaId": "BF742B38-8C5E-4F17-8C75-23A8C61BDB42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "811DEBE9-356B-4D60-8BE8-AE55CE484D10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.4.1_01:*:*:*:*:*:*:*",
"matchCriteriaId": "02F2D988-DFAE-420E-B7BB-440746F4AB76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.4.1_02:*:*:*:*:*:*:*",
"matchCriteriaId": "5CEF4A09-4520-422F-8766-AD0D00832BFE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.4.1_03:*:*:*:*:*:*:*",
"matchCriteriaId": "6E06A6F0-9F90-4BCD-A736-0A521E565C97",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.4.1_04:*:*:*:*:*:*:*",
"matchCriteriaId": "C1032FEB-9948-4501-AB70-94DFBEFD204D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.4.1_05:*:*:*:*:*:*:*",
"matchCriteriaId": "5BA27821-FAB3-40E2-8D94-F3B5DFB0714B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.4.1_06:*:*:*:*:*:*:*",
"matchCriteriaId": "0F27CFAE-F807-4643-BAC3-1A6486DE3D33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.4.1_07:*:*:*:*:*:*:*",
"matchCriteriaId": "4EBF7DA4-B357-4507-8BBE-7AE21CB6CE96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "F9E5ACCC-F82F-42F8-860A-92765D0F0B28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.4.2_1:*:*:*:*:*:*:*",
"matchCriteriaId": "FA9CA652-9B8C-4175-9ED8-71F441ADF962",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.4.2_2:*:*:*:*:*:*:*",
"matchCriteriaId": "93B973CB-25CE-4CA4-A4F8-577ED9ACEFEA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.4.2_3:*:*:*:*:*:*:*",
"matchCriteriaId": "00F66ED4-F74A-4F61-B01C-122DC98D5324",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.4.2_4:*:*:*:*:*:*:*",
"matchCriteriaId": "7321A75D-AC6E-486E-8911-AF66A992C8A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.4.2_5:*:*:*:*:*:*:*",
"matchCriteriaId": "D70B8B14-B4A2-4D05-B999-E2840A2365E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.4.2_6:*:*:*:*:*:*:*",
"matchCriteriaId": "C3EDC5EB-2E48-462E-BA0B-217BC470DFC7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.4.2_7:*:*:*:*:*:*:*",
"matchCriteriaId": "FA1D44C4-E43A-4D63-A5C9-76E885D3B436",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.4.2_8:*:*:*:*:*:*:*",
"matchCriteriaId": "52E30E1D-2766-4E79-B9C7-7B998E23A49F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.4.2_9:*:*:*:*:*:*:*",
"matchCriteriaId": "1E9872BC-5A24-4855-8D01-4C43BBF5C265",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.4.2_10:*:*:*:*:*:*:*",
"matchCriteriaId": "E94D13A6-E832-4BDF-8AF2-A4E0EF7DCBA2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.4.2_11:*:*:*:*:*:*:*",
"matchCriteriaId": "9E5EFE8C-B098-460C-AFE5-C5A938599F7A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.4.2_12:*:*:*:*:*:*:*",
"matchCriteriaId": "040AD56D-A0B7-4AF7-AF3D-4B4BD802516D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.4.2_13:*:*:*:*:*:*:*",
"matchCriteriaId": "3F0F7DF1-E117-4FD4-9A63-D05747727D01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.4.2_14:*:*:*:*:*:*:*",
"matchCriteriaId": "D63DF43C-4781-4E0F-89C4-0BFC841A0488",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.4.2_15:*:*:*:*:*:*:*",
"matchCriteriaId": "6D29842F-2185-46C5-8091-23ECB06CB680",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.4.2_16:*:*:*:*:*:*:*",
"matchCriteriaId": "1FF285D8-6E75-4932-A28B-639DA07F1124",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.4.2_17:*:*:*:*:*:*:*",
"matchCriteriaId": "817C3737-F625-4EE9-BB5C-D4B624EF0DAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.4.2_18:*:*:*:*:*:*:*",
"matchCriteriaId": "3A152C0A-65CE-438D-8B53-32D1EFC019F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.4.2_19:*:*:*:*:*:*:*",
"matchCriteriaId": "BA8DEFA1-AAA4-4AA2-859F-257B9B4D2B05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A02CF738-1B4F-44D0-A618-3D3E4EF1C9B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update_1:*:*:*:*:*:*",
"matchCriteriaId": "8198F493-0447-4A87-9F16-5B6CB3572E38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update_10:*:*:*:*:*:*",
"matchCriteriaId": "645BBE6D-BA5E-4D93-9152-759A2355013E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update_11:*:*:*:*:*:*",
"matchCriteriaId": "0EE694C9-940A-4899-844C-AC63412FA295",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update_12:*:*:*:*:*:*",
"matchCriteriaId": "BC9476DD-9B56-4811-A248-711C25181F29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update_13:*:*:*:*:*:*",
"matchCriteriaId": "68D34082-2948-4D95-B43F-FBD59E2F3D28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update_14:*:*:*:*:*:*",
"matchCriteriaId": "F2E01C07-4921-47CC-9AFC-D3B461D0B78D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update_15:*:*:*:*:*:*",
"matchCriteriaId": "7532E7D4-2F62-4DA0-B905-F95A0A735CE5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update_16:*:*:*:*:*:*",
"matchCriteriaId": "0AF93193-889E-4F44-ADEB-E89E56DE6C7A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update_17:*:*:*:*:*:*",
"matchCriteriaId": "68C19440-4172-4539-8E38-09DBCB1752E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update_18:*:*:*:*:*:*",
"matchCriteriaId": "3CC000EC-9717-47DA-B182-6C8CD3970F27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update_19:*:*:*:*:*:*",
"matchCriteriaId": "115083C5-811F-47BA-8549-3BDFF9CA0740",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update_2:*:*:*:*:*:*",
"matchCriteriaId": "51337B8C-78F2-4207-998E-A3FC591F538B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update_20:*:*:*:*:*:*",
"matchCriteriaId": "48193108-CD9F-476E-A7D2-E0796F659BA5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update_21:*:*:*:*:*:*",
"matchCriteriaId": "A0A80299-783A-4FBA-9EBF-5913942949A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update_3:*:*:*:*:*:*",
"matchCriteriaId": "76A4F852-0240-44D6-9BD5-FE79DEF16438",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update_4:*:*:*:*:*:*",
"matchCriteriaId": "F57E5943-5CC3-4736-85E8-FE7CC4F38735",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update_5:*:*:*:*:*:*",
"matchCriteriaId": "3C228E00-0F5C-41D2-8BD0-46AF682AE842",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update_6:*:*:*:*:*:*",
"matchCriteriaId": "0329E813-B2C8-4C84-BCAF-2D54C4AE0472",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update_7:*:*:*:*:*:*",
"matchCriteriaId": "7E3C40E1-7005-4F83-B347-177BEC9EE339",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update_8:*:*:*:*:*:*",
"matchCriteriaId": "6855E3F5-6F8E-44FA-A913-0D0F6A803DFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update_9:*:*:*:*:*:*",
"matchCriteriaId": "C79BDB6E-442B-41F1-A025-C17648A81FD9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update1:*:*:*:*:*:*",
"matchCriteriaId": "EE8E883F-E13D-4FB0-8C6F-B7628600E8D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update10:*:*:*:*:*:*",
"matchCriteriaId": "2AADA633-EB11-49A0-8E40-66589034F03E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update11:*:*:*:*:*:*",
"matchCriteriaId": "19DC29C5-1B9F-46DF-ACF6-3FF93E45777D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update11_b03:*:*:*:*:*:*",
"matchCriteriaId": "646DDCA6-AAC4-4FA8-B9B5-51F88D4C001D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update12:*:*:*:*:*:*",
"matchCriteriaId": "B120F7D9-7C1E-4716-B2FA-2990D449F754",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update13:*:*:*:*:*:*",
"matchCriteriaId": "CD61E49F-2A46-4107-BB3F-527079983306",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update14:*:*:*:*:*:*",
"matchCriteriaId": "D900AAE0-6032-4096-AFC2-3D43C55C6C83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update15:*:*:*:*:*:*",
"matchCriteriaId": "88B0958C-744C-4946-908C-09D2A5FAB120",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update16:*:*:*:*:*:*",
"matchCriteriaId": "C3E7F3CA-FFB3-42B3-A64F-0E38FAF252FC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update17:*:*:*:*:*:*",
"matchCriteriaId": "9A2D8D09-3F18-4E73-81CF-BB589BB8AEC1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update18:*:*:*:*:*:*",
"matchCriteriaId": "3FD24779-988F-4EC1-AC19-77186B68229E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update19:*:*:*:*:*:*",
"matchCriteriaId": "4F1E860E-98F2-48FF-B8B3-54D4B58BF81F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update2:*:*:*:*:*:*",
"matchCriteriaId": "28BE548B-DD0C-4C58-98CA-5B803F04F9EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update20:*:*:*:*:*:*",
"matchCriteriaId": "505A8F40-7758-412F-8895-FA1B00BE6B7D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update21:*:*:*:*:*:*",
"matchCriteriaId": "212F4A5F-87E3-4C62-BA21-46CBBCD8D26A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update22:*:*:*:*:*:*",
"matchCriteriaId": "5C4DFCD2-00A3-4BC7-8842-836CE22C7B39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update23:*:*:*:*:*:*",
"matchCriteriaId": "EB3A0C49-3FF9-4CB7-9E01-F771D4925103",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update24:*:*:*:*:*:*",
"matchCriteriaId": "F7D1BBD4-2F88-4372-B863-BB70753D841B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update25:*:*:*:*:*:*",
"matchCriteriaId": "9A75A4C0-6B49-424B-BEC0-0E0AAEF877B6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update3:*:*:*:*:*:*",
"matchCriteriaId": "5F8E9AA0-8907-4B1A-86A1-08568195217D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update4:*:*:*:*:*:*",
"matchCriteriaId": "A337AD31-4566-4A4E-AFF3-7EAECD5C90F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update5:*:*:*:*:*:*",
"matchCriteriaId": "0754AFDC-2F1C-4C06-AB46-457B5E610029",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update6:*:*:*:*:*:*",
"matchCriteriaId": "532CF9DD-0EBB-4B3B-BB9C-A8D78947A790",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update7:*:*:*:*:*:*",
"matchCriteriaId": "DC0ABF7A-107B-4B97-9BD7-7B0CEDAAF359",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update7_b03:*:*:*:*:*:*",
"matchCriteriaId": "59ED507D-AEF8-4631-A298-8BDA6D6E8CB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update8:*:*:*:*:*:*",
"matchCriteriaId": "A5DA4242-30D9-44C8-9D0D-877348FFA22B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0:update9:*:*:*:*:*:*",
"matchCriteriaId": "C61C6043-99D0-4F36-AF84-1A5F90B895EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0_03:*:solaris:*:*:*:*:*",
"matchCriteriaId": "0DF9EC3A-E40C-415B-8BF3-40D3C474AF70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sun:jdk:1.5.0_03:*:windows:*:*:*:*:*",
"matchCriteriaId": "937EEE89-443C-4435-9064-EE228B3CEBD9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:springsource:dm_server:1.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D95E4679-D525-4E6A-921F-9CE1C7E1EE09",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:springsource:dm_server:1.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2A8C3A93-F837-4595-8A4D-F53CA97AC7E4",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:springsource:dm_server:1.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "27410ECF-4E3D-40B2-86A6-6A4BAA9E9C82",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "12B16A98-BB2E-4F5B-AE14-F84B6A879097",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1274AB42-FE68-4EF5-B11F-6343685A7747",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:2.0:m1:*:*:*:*:*:*",
"matchCriteriaId": "E88635C7-2305-41F6-9BD9-8E945F524C12",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:2.0:m2:*:*:*:*:*:*",
"matchCriteriaId": "2DD492C8-A0EF-44E8-AC9F-56F8F64C99A4",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:2.0:m3:*:*:*:*:*:*",
"matchCriteriaId": "C419AC44-21A5-456C-B537-B8BAF475BCF3",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:2.0:m4:*:*:*:*:*:*",
"matchCriteriaId": "EFAAE3B9-C62E-47F6-A23D-1024E5870B7E",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:2.0:m5:*:*:*:*:*:*",
"matchCriteriaId": "DA630C68-21E8-4F2A-8044-5DAF3CA3CC37",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "012985DE-5D39-470C-8E51-5AFCED594FB9",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "94639F24-EEF4-4AA3-83F4-6C86A3286E5B",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:2.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "6649C191-78C3-403F-BEAF-741AF9FF2893",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:2.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "6A4E6F8A-44B0-4982-9D52-96E8C85D9CFF",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "56CC4457-E99A-4AAF-B9FA-E4852E4E1967",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:2.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C0474C87-8CC6-4E71-B350-3A4AA7CF452D",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:2.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "5049E640-145C-4338-B25C-7AA82A67FA0C",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:2.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "CCDB933A-AED3-4A0B-9911-CBBF0B9E91B6",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:2.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "58F22748-6F62-495A-96F5-694E5E1EBCB8",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:2.1:m1:*:*:*:*:*:*",
"matchCriteriaId": "030CC42C-8582-4B71-B93E-9D7AE5D2EBF9",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:2.1:m2:*:*:*:*:*:*",
"matchCriteriaId": "629C79A0-0233-4750-9A43-F98C97BBA47D",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:2.1:m3:*:*:*:*:*:*",
"matchCriteriaId": "AB6958CD-61D4-41ED-A16A-2B74E17AD501",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:2.1:m4:*:*:*:*:*:*",
"matchCriteriaId": "AC4E5B16-5012-44CD-9719-ADDAACF4FBAE",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:2.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5ECA0EF4-6BEA-4464-B098-37C0342AEDDF",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:2.5.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "F45DF1E8-2BB9-45A6-96C4-406C81827E68",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:2.5.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FFE1B570-A480-46AD-A8AE-E984824CF6BE",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:2.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B4DDA5A7-62A4-471A-9B01-D54CF560BF56",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:2.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B977B334-EC1A-45BD-976D-3DF3332ADA90",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:2.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "6DC37B55-E7DF-4426-B1E2-2644078EDD19",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:2.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "A939B963-7C6C-4617-A695-A9CC4FC774EE",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:2.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "BB2D44CB-BBBF-45DE-B3C9-2BD2625BC8E7",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:2.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F709DAAC-AA32-4D37-9E0C-A014FB519697",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.0:m1:*:*:*:*:*:*",
"matchCriteriaId": "13E1344C-CB41-48FC-BB98-7FEBEBF190E9",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.0:m2:*:*:*:*:*:*",
"matchCriteriaId": "AD66E687-C387-486D-AC34-279961311A8F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Algorithmic complexity vulnerability in the java.util.regex.Pattern.compile method in Sun Java Development Kit (JDK) before 1.6, when used with spring.jar in SpringSource Spring Framework 1.1.0 through 2.5.6 and 3.0.0.M1 through 3.0.0.M2 and dm Server 1.0.0 through 1.0.2, allows remote attackers to cause a denial of service (CPU consumption) via serializable data with a long regex string containing multiple optional groups, a related issue to CVE-2004-2540."
},
{
"lang": "es",
"value": "Una vulnerabilidad de complejidad algor\u00edtmica en el m\u00e9todo java.util.regex.Pattern.compile en Sun Java Development Kit (JDK) antes de la versi\u00f3n 1.6, cuando se utiliza con spring.jar en la plataforma SpringSource Spring Framework v1.1.0 a la v2.5.6 y v3.0.0.M1 a y v3.0.0.M2 y dm Server v1.0.0 a v1.0.2, permite a atacantes remotos provocar una denegaci\u00f3n de servicio (mediante un excesivo consumo de CPU) a trav\u00e9s de datos serializables con una cadena regex demasiado larga que almacene multiples grupos opcionales. Vulnerabilidad relacionada con la CVE-2004-2540."
}
],
"id": "CVE-2009-1190",
"lastModified": "2024-11-21T01:01:52.667",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2009-04-27T22:30:00.267",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/34892"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit"
],
"url": "http://www.packetstormsecurity.org/hitb06/DAY_1_-_Marc_Schoenefeld_-_Pentesting_Java_J2EE.pdf"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/archive/1/502926/100/0/threaded"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://www.springsource.com/securityadvisory"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=497161"
},
{
"source": "secalert@redhat.com",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50083"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/34892"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.packetstormsecurity.org/hitb06/DAY_1_-_Marc_Schoenefeld_-_Pentesting_Java_J2EE.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/502926/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.springsource.com/securityadvisory"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=497161"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50083"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-399"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-06-21 16:30
Modified
2024-11-21 01:14
Severity ?
Summary
SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| oracle | fusion_middleware | 7.6.2 | |
| oracle | fusion_middleware | 11.1.1.6.1 | |
| oracle | fusion_middleware | 11.1.1.8.0 | |
| springsource | spring_framework | 2.5.0 | |
| springsource | spring_framework | 2.5.1 | |
| springsource | spring_framework | 2.5.2 | |
| springsource | spring_framework | 2.5.3 | |
| springsource | spring_framework | 2.5.4 | |
| springsource | spring_framework | 2.5.5 | |
| springsource | spring_framework | 2.5.6 | |
| springsource | spring_framework | 2.5.7 | |
| springsource | spring_framework | 3.0.0 | |
| springsource | spring_framework | 3.0.1 | |
| springsource | spring_framework | 3.0.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oracle:fusion_middleware:7.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "2A9B040F-4062-45C1-A659-B5E9242B54CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:fusion_middleware:11.1.1.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6DF57046-4537-475E-B25E-2375492850DD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:fusion_middleware:11.1.1.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4227A17D-C070-406A-BEB7-6D43F3A0E98A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:springsource:spring_framework:2.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5ECA0EF4-6BEA-4464-B098-37C0342AEDDF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:2.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B4DDA5A7-62A4-471A-9B01-D54CF560BF56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:2.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B977B334-EC1A-45BD-976D-3DF3332ADA90",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:2.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "6DC37B55-E7DF-4426-B1E2-2644078EDD19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:2.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "A939B963-7C6C-4617-A695-A9CC4FC774EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:2.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "BB2D44CB-BBBF-45DE-B3C9-2BD2625BC8E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:2.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F709DAAC-AA32-4D37-9E0C-A014FB519697",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:2.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "BC2B4BF5-FFAE-475F-AF1B-835497BF86D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "62111DAE-3E05-4D95-8B34-E2EFB6142DCA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9A9F796E-340B-4FF5-9322-94E57D7BCEE6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D8BA17FD-BC52-4D84-9753-5D41D3BC35B4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file."
},
{
"lang": "es",
"value": "SpringSource Spring Framework v2.5.x anteriores a v2.5.6.SEC02, v2.5.7 anteriores a v2.5.7.SR01, y v3.0.x anteriores a v3.0.3 permite a atacantes remotos ejecutar c\u00f3digo arbitrario a trav\u00e9s de una petici\u00f3n HTTP que contenga class.classLoader.URLs[0]=jar: seguida por una URL de un fichero .jar modificado."
}
],
"evaluatorComment": "The previous CVSS assessment 5.1 (AV:N/AC:M/Au:N/C:P/I:P/A:P) was provided at the time of initial analysis based on the best available published information at that time. The score has be updated to reflect the impact to Oracle products per \u003ca href=http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\u003e Oracle Critical Patch Update Advisory - October 2015 \u003c/a\u003e. Other products listed as vulnerable may or may not be similarly impacted.",
"id": "CVE-2010-1622",
"lastModified": "2024-11-21T01:14:49.797",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2010-06-21T16:30:01.180",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://geronimo.apache.org/2010/07/21/apache-geronimo-v216-released.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://geronimo.apache.org/21x-security-report.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://geronimo.apache.org/22x-security-report.html"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/41016"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/41025"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/43087"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/13918"
},
{
"source": "secalert@redhat.com",
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.redhat.com/support/errata/RHSA-2011-0175.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/archive/1/511877"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/40954"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id/1033898"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "http://www.springsource.com/security/cve-2010-1622"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2011/0237"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://geronimo.apache.org/2010/07/21/apache-geronimo-v216-released.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://geronimo.apache.org/21x-security-report.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://geronimo.apache.org/22x-security-report.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/41016"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/41025"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/43087"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/13918"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2011-0175.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/archive/1/511877"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/40954"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1033898"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "http://www.springsource.com/security/cve-2010-1622"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2011/0237"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-01-23 21:55
Modified
2024-11-21 02:00
Severity ?
Summary
The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| springsource | spring_framework | 3.0.0 | |
| springsource | spring_framework | 3.0.0 | |
| springsource | spring_framework | 3.0.0 | |
| springsource | spring_framework | 3.0.0 | |
| springsource | spring_framework | 3.0.0 | |
| springsource | spring_framework | 3.0.0 | |
| springsource | spring_framework | 3.0.0 | |
| springsource | spring_framework | 3.0.0 | |
| springsource | spring_framework | 3.0.0.m1 | |
| springsource | spring_framework | 3.0.0.m2 | |
| springsource | spring_framework | 3.0.1 | |
| springsource | spring_framework | 3.0.2 | |
| springsource | spring_framework | 3.0.3 | |
| springsource | spring_framework | 3.0.4 | |
| springsource | spring_framework | 3.0.5 | |
| vmware | spring_framework | * | |
| vmware | spring_framework | 3.0.6 | |
| vmware | spring_framework | 3.0.7 | |
| vmware | spring_framework | 3.1.0 | |
| vmware | spring_framework | 3.1.1 | |
| vmware | spring_framework | 3.1.2 | |
| vmware | spring_framework | 3.1.3 | |
| vmware | spring_framework | 3.1.4 | |
| vmware | spring_framework | 3.2.0 | |
| vmware | spring_framework | 3.2.1 | |
| vmware | spring_framework | 3.2.2 | |
| vmware | spring_framework | 4.0.0 | |
| vmware | spring_framework | 4.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "62111DAE-3E05-4D95-8B34-E2EFB6142DCA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.0:m1:*:*:*:*:*:*",
"matchCriteriaId": "13E1344C-CB41-48FC-BB98-7FEBEBF190E9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.0:m2:*:*:*:*:*:*",
"matchCriteriaId": "AD66E687-C387-486D-AC34-279961311A8F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.0:m3:*:*:*:*:*:*",
"matchCriteriaId": "49018DD7-9E85-4B4D-B054-CD17EFB13E87",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.0:m4:*:*:*:*:*:*",
"matchCriteriaId": "37FC3F37-A033-491B-96F0-8B38E2E43BFA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "12021339-C885-4A9E-95C1-4695F3DC1F76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "6FB321B9-4838-4AAC-B8AF-C92015C946A0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "DC19AE9E-B46C-4872-B562-E97DC80543F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.0.m1:*:*:*:*:*:*:*",
"matchCriteriaId": "32F4893D-61E6-4E7F-A30A-3AB96264531B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.0.m2:*:*:*:*:*:*:*",
"matchCriteriaId": "B7F99079-D584-456B-A116-62D10FBF8233",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9A9F796E-340B-4FF5-9322-94E57D7BCEE6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D8BA17FD-BC52-4D84-9753-5D41D3BC35B4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "637484A7-AB05-4F64-9311-6741BDF2579F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "FAE5CFA5-769F-49E9-A7A9-56C8CED8692E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "528C85CE-2CC6-4B09-8C25-44A2B1C2D8B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EB86A413-9595-4BD1-A5FD-1A62B93EA1C9",
"versionEndIncluding": "3.2.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_framework:3.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "B9D5172D-5E19-40C1-8C1B-CC22706E780D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_framework:3.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "46E410D2-DA53-4806-B296-451C3D9CDEEA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_framework:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "20D6E5AC-9898-416F-8268-3623E1706072",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_framework:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B61F3E25-A415-4A25-91D6-4FBA6F575AAB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_framework:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8A2C4C81-2E79-411C-AEB8-A5E40FC28D31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_framework:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "010915FE-3BCE-4652-8D8B-47EE085F3BEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_framework:3.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "D16C8EFA-F1E4-48C3-BC86-A132873426C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_framework:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "47CED0ED-D67E-48AF-BB1A-EB1030897A8C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_framework:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D2E2EA60-735E-431E-BEFE-DC5C1046E532",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_framework:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "DFD1FA92-7BFC-4874-89FC-BE0F378F0DB3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_framework:4.0.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "FD20A2BE-2024-4DAA-825E-213ACB667DE9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_framework:4.0.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "264458EB-2332-438F-8635-414E388E25EA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions."
},
{
"lang": "es",
"value": "El Spring MVC en Spring Framework anterior a 3.2.4 y 4.0.0.M1 hasta 4.0.0.M2 no desactiva la resoluci\u00f3n de entidades externas para la StAX XMLInputFactory, que permite a atacantes dependientes de contexto para leer archivos arbitrarios, provocar una denegaci\u00f3n de servicio, y llevar a cabo ataques CSRF trav\u00e9s de XML manipulado con JAXB, tambi\u00e9n conocido como un problema XML External Entity (XXE) , y una vulnerabilidad diferente a CVE-2013-4152. NOTA: este problema se separ\u00f3 de CVE-2013-4152, debido a las diferentes versiones afectadas."
}
],
"id": "CVE-2013-7315",
"lastModified": "2024-11-21T02:00:43.573",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-01-23T21:55:05.210",
"references": [
{
"source": "cve@mitre.org",
"url": "http://seclists.org/bugtraq/2013/Aug/154"
},
{
"source": "cve@mitre.org",
"url": "http://seclists.org/fulldisclosure/2013/Nov/14"
},
{
"source": "cve@mitre.org",
"url": "http://www.debian.org/security/2014/dsa-2842"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://www.gopivotal.com/security/cve-2013-4152"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/77998"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch"
],
"url": "https://jira.springsource.org/browse/SPR-10806"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/bugtraq/2013/Aug/154"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2013/Nov/14"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2014/dsa-2842"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.gopivotal.com/security/cve-2013-4152"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/77998"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "https://jira.springsource.org/browse/SPR-10806"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-04-17 14:55
Modified
2024-11-21 02:01
Severity ?
Summary
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "62111DAE-3E05-4D95-8B34-E2EFB6142DCA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.0:m1:*:*:*:*:*:*",
"matchCriteriaId": "13E1344C-CB41-48FC-BB98-7FEBEBF190E9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.0:m2:*:*:*:*:*:*",
"matchCriteriaId": "AD66E687-C387-486D-AC34-279961311A8F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.0:m3:*:*:*:*:*:*",
"matchCriteriaId": "49018DD7-9E85-4B4D-B054-CD17EFB13E87",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.0:m4:*:*:*:*:*:*",
"matchCriteriaId": "37FC3F37-A033-491B-96F0-8B38E2E43BFA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "12021339-C885-4A9E-95C1-4695F3DC1F76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "6FB321B9-4838-4AAC-B8AF-C92015C946A0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "DC19AE9E-B46C-4872-B562-E97DC80543F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.0.m1:*:*:*:*:*:*:*",
"matchCriteriaId": "32F4893D-61E6-4E7F-A30A-3AB96264531B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.0.m2:*:*:*:*:*:*:*",
"matchCriteriaId": "B7F99079-D584-456B-A116-62D10FBF8233",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9A9F796E-340B-4FF5-9322-94E57D7BCEE6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D8BA17FD-BC52-4D84-9753-5D41D3BC35B4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "637484A7-AB05-4F64-9311-6741BDF2579F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "FAE5CFA5-769F-49E9-A7A9-56C8CED8692E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "528C85CE-2CC6-4B09-8C25-44A2B1C2D8B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "84A59B07-7EF0-4744-AF78-59C2C9C7DCD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "373153C1-402D-4159-8B72-5C8544846CC6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:4.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "4D9CB60A-0AFB-4572-9406-B848B71A37F2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A943BB84-9368-48F2-96DD-65EF0AEDEFE1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*",
"matchCriteriaId": "35922ADD-3B00-4928-AF5E-5449CB55D5C5",
"versionEndIncluding": "3.2.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_framework:3.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "B9D5172D-5E19-40C1-8C1B-CC22706E780D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_framework:3.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "46E410D2-DA53-4806-B296-451C3D9CDEEA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_framework:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "20D6E5AC-9898-416F-8268-3623E1706072",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_framework:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B61F3E25-A415-4A25-91D6-4FBA6F575AAB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_framework:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8A2C4C81-2E79-411C-AEB8-A5E40FC28D31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_framework:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "010915FE-3BCE-4652-8D8B-47EE085F3BEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_framework:3.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "D16C8EFA-F1E4-48C3-BC86-A132873426C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_framework:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "47CED0ED-D67E-48AF-BB1A-EB1030897A8C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_framework:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D2E2EA60-735E-431E-BEFE-DC5C1046E532",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_framework:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "DFD1FA92-7BFC-4874-89FC-BE0F378F0DB3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_framework:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7CC0E26F-2E8B-4B30-8C43-8BD2015EBB88",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_framework:3.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3CB73406-5FE4-438E-BCB7-57FBF6EC38D0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_framework:4.0.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "FD20A2BE-2024-4DAA-825E-213ACB667DE9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_framework:4.0.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "264458EB-2332-438F-8635-414E388E25EA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429."
},
{
"lang": "es",
"value": "Jaxb2RootElementHttpMessageConverter en Spring MVC en Spring Framework anterior a 3.2.8 y 4.0.0 anterior a 4.0.2 no deshabilita resoluci\u00f3n de entidad externa, lo que permite a atacantes remotos leer archivos arbitrarios, causar una denegaci\u00f3n de servicio y realizar ataques CSRF a trav\u00e9s de XML manipulado, tambi\u00e9n conocido como un problema de entidad externa XML (XXE). NOTA: esta vulnerabilidad existe debido a una soluci\u00f3n incompleta para CVE-2013-4152, CVE-2013-7315 y CVE-2013-6429."
}
],
"id": "CVE-2014-0054",
"lastModified": "2024-11-21T02:01:15.597",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-04-17T14:55:06.417",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0400.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/57915"
},
{
"source": "secalert@redhat.com",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/66148"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.spring.io/browse/SPR-11376"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0400.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/57915"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/66148"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.spring.io/browse/SPR-11376"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-12-05 17:55
Modified
2024-11-21 01:28
Severity ?
Summary
VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| springsource | spring_framework | * | |
| springsource | spring_framework | * | |
| springsource | spring_framework | 2.5.0 | |
| springsource | spring_framework | 2.5.0 | |
| springsource | spring_framework | 2.5.0 | |
| springsource | spring_framework | 2.5.1 | |
| springsource | spring_framework | 2.5.2 | |
| springsource | spring_framework | 2.5.3 | |
| springsource | spring_framework | 2.5.4 | |
| springsource | spring_framework | 2.5.5 | |
| springsource | spring_framework | 2.5.6 | |
| springsource | spring_framework | 2.5.7 | |
| springsource | spring_framework | 3.0.0 | |
| springsource | spring_framework | 3.0.1 | |
| springsource | spring_framework | 3.0.2 | |
| springsource | spring_framework | 3.0.3 | |
| springsource | spring_framework | 3.0.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:springsource:spring_framework:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8FED8FEA-E8FD-49D9-AEB9-3C7976B147E4",
"versionEndIncluding": "2.5.7_sr01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CC66D40E-516C-477D-A1AC-6A0E19383DDC",
"versionEndIncluding": "3.0.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:2.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5ECA0EF4-6BEA-4464-B098-37C0342AEDDF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:2.5.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "F45DF1E8-2BB9-45A6-96C4-406C81827E68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:2.5.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FFE1B570-A480-46AD-A8AE-E984824CF6BE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:2.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B4DDA5A7-62A4-471A-9B01-D54CF560BF56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:2.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B977B334-EC1A-45BD-976D-3DF3332ADA90",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:2.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "6DC37B55-E7DF-4426-B1E2-2644078EDD19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:2.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "A939B963-7C6C-4617-A695-A9CC4FC774EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:2.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "BB2D44CB-BBBF-45DE-B3C9-2BD2625BC8E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:2.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F709DAAC-AA32-4D37-9E0C-A014FB519697",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:2.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "BC2B4BF5-FFAE-475F-AF1B-835497BF86D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "62111DAE-3E05-4D95-8B34-E2EFB6142DCA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9A9F796E-340B-4FF5-9322-94E57D7BCEE6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D8BA17FD-BC52-4D84-9753-5D41D3BC35B4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "637484A7-AB05-4F64-9311-6741BDF2579F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "FAE5CFA5-769F-49E9-A7A9-56C8CED8692E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka \"Expression Language Injection.\""
},
{
"lang": "es",
"value": "VMware SpringSource Spring Framework anterior a v2.5.6.SEC03, v2.5.7.SR023, y v3.x anterior a v3.0.6, cuando el contenedor soporta Expression Language (EL), eval\u00faa expresiones EL en etiquetas, permite a atacantes remotos obtener informaci\u00f3n sensible mediante (1) el atributo name en a (a) spring:hasBindErrors; (2) el atributo path en a (b) spring:bind o (c) spring:nestedpath; (3) arguments, (4) code, (5) text, (6) var, (7) scope, o (8) atributo message in a (d) spring:message o (e) spring:theme; or (9) var, (10) scope, or (11) atributo value en a (f) spring:transform, tambi\u00e9n conocido como \"Inyecci\u00f3n de Expresi\u00f3n de Lenguaje\""
}
],
"evaluatorComment": "Per update to http://support.springsource.com/security/cve-2011-2730",
"evaluatorImpact": "Per update to Hyperlink Record 1199655 (http://support.springsource.com/security/cve-2011-2730), the score has been adjusted based on remote code execution",
"id": "CVE-2011-2730",
"lastModified": "2024-11-21T01:28:51.097",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2012-12-05T17:55:01.413",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=677814"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0191.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0192.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0193.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0194.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0195.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0196.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0197.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0198.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0221.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0533.html"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/51984"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/52054"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/55155"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://support.springsource.com/security/cve-2011-2730"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2012/dsa-2504"
},
{
"source": "secalert@redhat.com",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id/1029151"
},
{
"source": "secalert@redhat.com",
"url": "https://docs.google.com/document/d/1dc1xxO8UMFaGLOwgkykYdghGWm_2Gn0iCrxFsympqcE/edit"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=677814"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0191.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0192.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0193.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0194.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0195.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0196.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0197.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0198.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0221.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0533.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/51984"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/52054"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/55155"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://support.springsource.com/security/cve-2011-2730"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2012/dsa-2504"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1029151"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://docs.google.com/document/d/1dc1xxO8UMFaGLOwgkykYdghGWm_2Gn0iCrxFsympqcE/edit"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-16"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-01-23 21:55
Modified
2024-11-21 01:54
Severity ?
Summary
The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| springsource | spring_framework | 3.0.0 | |
| springsource | spring_framework | 3.0.0 | |
| springsource | spring_framework | 3.0.0 | |
| springsource | spring_framework | 3.0.0 | |
| springsource | spring_framework | 3.0.0 | |
| springsource | spring_framework | 3.0.0 | |
| springsource | spring_framework | 3.0.0 | |
| springsource | spring_framework | 3.0.0 | |
| springsource | spring_framework | 3.0.0.m1 | |
| springsource | spring_framework | 3.0.0.m2 | |
| springsource | spring_framework | 3.0.1 | |
| springsource | spring_framework | 3.0.2 | |
| springsource | spring_framework | 3.0.3 | |
| springsource | spring_framework | 3.0.4 | |
| springsource | spring_framework | 3.0.5 | |
| vmware | spring_framework | * | |
| vmware | spring_framework | 3.0.6 | |
| vmware | spring_framework | 3.0.7 | |
| vmware | spring_framework | 3.1.0 | |
| vmware | spring_framework | 3.1.1 | |
| vmware | spring_framework | 3.1.2 | |
| vmware | spring_framework | 3.1.3 | |
| vmware | spring_framework | 3.1.4 | |
| vmware | spring_framework | 3.2.0 | |
| vmware | spring_framework | 3.2.1 | |
| vmware | spring_framework | 3.2.2 | |
| vmware | spring_framework | 4.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "62111DAE-3E05-4D95-8B34-E2EFB6142DCA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.0:m1:*:*:*:*:*:*",
"matchCriteriaId": "13E1344C-CB41-48FC-BB98-7FEBEBF190E9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.0:m2:*:*:*:*:*:*",
"matchCriteriaId": "AD66E687-C387-486D-AC34-279961311A8F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.0:m3:*:*:*:*:*:*",
"matchCriteriaId": "49018DD7-9E85-4B4D-B054-CD17EFB13E87",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.0:m4:*:*:*:*:*:*",
"matchCriteriaId": "37FC3F37-A033-491B-96F0-8B38E2E43BFA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "12021339-C885-4A9E-95C1-4695F3DC1F76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "6FB321B9-4838-4AAC-B8AF-C92015C946A0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "DC19AE9E-B46C-4872-B562-E97DC80543F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.0.m1:*:*:*:*:*:*:*",
"matchCriteriaId": "32F4893D-61E6-4E7F-A30A-3AB96264531B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.0.m2:*:*:*:*:*:*:*",
"matchCriteriaId": "B7F99079-D584-456B-A116-62D10FBF8233",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9A9F796E-340B-4FF5-9322-94E57D7BCEE6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D8BA17FD-BC52-4D84-9753-5D41D3BC35B4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "637484A7-AB05-4F64-9311-6741BDF2579F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "FAE5CFA5-769F-49E9-A7A9-56C8CED8692E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:springsource:spring_framework:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "528C85CE-2CC6-4B09-8C25-44A2B1C2D8B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EB86A413-9595-4BD1-A5FD-1A62B93EA1C9",
"versionEndIncluding": "3.2.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_framework:3.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "B9D5172D-5E19-40C1-8C1B-CC22706E780D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_framework:3.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "46E410D2-DA53-4806-B296-451C3D9CDEEA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_framework:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "20D6E5AC-9898-416F-8268-3623E1706072",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_framework:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B61F3E25-A415-4A25-91D6-4FBA6F575AAB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_framework:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8A2C4C81-2E79-411C-AEB8-A5E40FC28D31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_framework:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "010915FE-3BCE-4652-8D8B-47EE085F3BEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_framework:3.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "D16C8EFA-F1E4-48C3-BC86-A132873426C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_framework:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "47CED0ED-D67E-48AF-BB1A-EB1030897A8C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_framework:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D2E2EA60-735E-431E-BEFE-DC5C1046E532",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_framework:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "DFD1FA92-7BFC-4874-89FC-BE0F378F0DB3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_framework:4.0.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "FD20A2BE-2024-4DAA-825E-213ACB667DE9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue."
},
{
"lang": "es",
"value": "El wrapper Spring OXM en Spring Framework anterior a la versi\u00f3n 3.2.4 y 4.0.0.M1, cuando se usa el JAXB marshaller, no desactiva la resoluci\u00f3n de entidad, lo que permite a atacantes dependientes del contexto leer archivos arbitrarios, provocar una denegaci\u00f3n de servicio, o llevar a cabo ataques de CSRF a trav\u00e9s de una declaraci\u00f3n de entidad XML externa en conjunci\u00f3n con una referencia de entidad en (1) DOMSource, (2) StAXSource, (3) SAXSource, o (4) StreamSource, tambi\u00e9n conocido como una vulnerabilidad XXE."
}
],
"id": "CVE-2013-4152",
"lastModified": "2024-11-21T01:54:58.633",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-01-23T21:55:04.853",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0212.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0245.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0254.html"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0400.html"
},
{
"source": "secalert@redhat.com",
"url": "http://seclists.org/bugtraq/2013/Aug/154"
},
{
"source": "secalert@redhat.com",
"url": "http://seclists.org/fulldisclosure/2013/Nov/14"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/56247"
},
{
"source": "secalert@redhat.com",
"url": "http://secunia.com/advisories/57915"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2014/dsa-2842"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://www.gopivotal.com/security/cve-2013-4152"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/61951"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "https://github.com/spring-projects/spring-framework/pull/317/files"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Patch"
],
"url": "https://jira.springsource.org/browse/SPR-10806"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0212.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0245.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0254.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0400.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/bugtraq/2013/Aug/154"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2013/Nov/14"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/56247"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/57915"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2014/dsa-2842"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.gopivotal.com/security/cve-2013-4152"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/61951"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/spring-projects/spring-framework/pull/317/files"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "https://jira.springsource.org/browse/SPR-10806"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
cve-2013-7315
Vulnerability from cvelistv5
Published
2014-01-23 21:00
Modified
2024-08-06 18:01
Severity ?
EPSS score ?
Summary
The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.gopivotal.com/security/cve-2013-4152 | x_refsource_CONFIRM | |
| http://seclists.org/fulldisclosure/2013/Nov/14 | mailing-list, x_refsource_FULLDISC | |
| http://seclists.org/bugtraq/2013/Aug/154 | mailing-list, x_refsource_BUGTRAQ | |
| http://www.debian.org/security/2014/dsa-2842 | vendor-advisory, x_refsource_DEBIAN | |
| http://www.securityfocus.com/bid/77998 | vdb-entry, x_refsource_BID | |
| https://jira.springsource.org/browse/SPR-10806 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T18:01:20.592Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.gopivotal.com/security/cve-2013-4152"
},
{
"name": "20131102 XXE Injection in Spring Framework",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2013/Nov/14"
},
{
"name": "20130822 CVE-2013-4152 XML External Entity (XXE) injection in Spring Framework",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://seclists.org/bugtraq/2013/Aug/154"
},
{
"name": "DSA-2842",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2014/dsa-2842"
},
{
"name": "77998",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/77998"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.springsource.org/browse/SPR-10806"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-08-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-11-25T19:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.gopivotal.com/security/cve-2013-4152"
},
{
"name": "20131102 XXE Injection in Spring Framework",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2013/Nov/14"
},
{
"name": "20130822 CVE-2013-4152 XML External Entity (XXE) injection in Spring Framework",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://seclists.org/bugtraq/2013/Aug/154"
},
{
"name": "DSA-2842",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2014/dsa-2842"
},
{
"name": "77998",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/77998"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.springsource.org/browse/SPR-10806"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-7315",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.gopivotal.com/security/cve-2013-4152",
"refsource": "CONFIRM",
"url": "http://www.gopivotal.com/security/cve-2013-4152"
},
{
"name": "20131102 XXE Injection in Spring Framework",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2013/Nov/14"
},
{
"name": "20130822 CVE-2013-4152 XML External Entity (XXE) injection in Spring Framework",
"refsource": "BUGTRAQ",
"url": "http://seclists.org/bugtraq/2013/Aug/154"
},
{
"name": "DSA-2842",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2014/dsa-2842"
},
{
"name": "77998",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/77998"
},
{
"name": "https://jira.springsource.org/browse/SPR-10806",
"refsource": "CONFIRM",
"url": "https://jira.springsource.org/browse/SPR-10806"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-7315",
"datePublished": "2014-01-23T21:00:00",
"dateReserved": "2014-01-23T00:00:00",
"dateUpdated": "2024-08-06T18:01:20.592Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2009-1190
Vulnerability from cvelistv5
Published
2009-04-27 22:00
Modified
2024-08-07 05:04
Severity ?
EPSS score ?
Summary
Algorithmic complexity vulnerability in the java.util.regex.Pattern.compile method in Sun Java Development Kit (JDK) before 1.6, when used with spring.jar in SpringSource Spring Framework 1.1.0 through 2.5.6 and 3.0.0.M1 through 3.0.0.M2 and dm Server 1.0.0 through 1.0.2, allows remote attackers to cause a denial of service (CPU consumption) via serializable data with a long regex string containing multiple optional groups, a related issue to CVE-2004-2540.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/archive/1/502926/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://www.packetstormsecurity.org/hitb06/DAY_1_-_Marc_Schoenefeld_-_Pentesting_Java_J2EE.pdf | x_refsource_MISC | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/50083 | vdb-entry, x_refsource_XF | |
| https://bugzilla.redhat.com/show_bug.cgi?id=497161 | x_refsource_CONFIRM | |
| http://www.springsource.com/securityadvisory | x_refsource_CONFIRM | |
| http://secunia.com/advisories/34892 | third-party-advisory, x_refsource_SECUNIA |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T05:04:49.369Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20090424 CVE-2009-1190: Spring Framework Remote Denial of Service Vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/502926/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.packetstormsecurity.org/hitb06/DAY_1_-_Marc_Schoenefeld_-_Pentesting_Java_J2EE.pdf"
},
{
"name": "springframework-data-dos(50083)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50083"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=497161"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.springsource.com/securityadvisory"
},
{
"name": "34892",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/34892"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2009-04-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Algorithmic complexity vulnerability in the java.util.regex.Pattern.compile method in Sun Java Development Kit (JDK) before 1.6, when used with spring.jar in SpringSource Spring Framework 1.1.0 through 2.5.6 and 3.0.0.M1 through 3.0.0.M2 and dm Server 1.0.0 through 1.0.2, allows remote attackers to cause a denial of service (CPU consumption) via serializable data with a long regex string containing multiple optional groups, a related issue to CVE-2004-2540."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-10T18:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "20090424 CVE-2009-1190: Spring Framework Remote Denial of Service Vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/502926/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.packetstormsecurity.org/hitb06/DAY_1_-_Marc_Schoenefeld_-_Pentesting_Java_J2EE.pdf"
},
{
"name": "springframework-data-dos(50083)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50083"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=497161"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.springsource.com/securityadvisory"
},
{
"name": "34892",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/34892"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2009-1190",
"datePublished": "2009-04-27T22:00:00",
"dateReserved": "2009-03-31T00:00:00",
"dateUpdated": "2024-08-07T05:04:49.369Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2010-1622
Vulnerability from cvelistv5
Published
2010-06-21 16:00
Modified
2024-08-07 01:28
Severity ?
EPSS score ?
Summary
SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T01:28:42.999Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://geronimo.apache.org/2010/07/21/apache-geronimo-v216-released.html"
},
{
"name": "ADV-2011-0237",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2011/0237"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html"
},
{
"name": "13918",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/13918"
},
{
"name": "43087",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/43087"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.springsource.com/security/cve-2010-1622"
},
{
"name": "41025",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/41025"
},
{
"name": "RHSA-2011:0175",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://www.redhat.com/support/errata/RHSA-2011-0175.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://geronimo.apache.org/22x-security-report.html"
},
{
"name": "40954",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/40954"
},
{
"name": "41016",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/41016"
},
{
"name": "1033898",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1033898"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://geronimo.apache.org/21x-security-report.html"
},
{
"name": "20100618 CVE-2010-1622: Spring Framework execution of arbitrary code",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/511877"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-06-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-12-05T21:57:02",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://geronimo.apache.org/2010/07/21/apache-geronimo-v216-released.html"
},
{
"name": "ADV-2011-0237",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2011/0237"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html"
},
{
"name": "13918",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/13918"
},
{
"name": "43087",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/43087"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.springsource.com/security/cve-2010-1622"
},
{
"name": "41025",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/41025"
},
{
"name": "RHSA-2011:0175",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://www.redhat.com/support/errata/RHSA-2011-0175.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://geronimo.apache.org/22x-security-report.html"
},
{
"name": "40954",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/40954"
},
{
"name": "41016",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/41016"
},
{
"name": "1033898",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1033898"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://geronimo.apache.org/21x-security-report.html"
},
{
"name": "20100618 CVE-2010-1622: Spring Framework execution of arbitrary code",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/511877"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2010-1622",
"datePublished": "2010-06-21T16:00:00",
"dateReserved": "2010-04-29T00:00:00",
"dateUpdated": "2024-08-07T01:28:42.999Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2014-0054
Vulnerability from cvelistv5
Published
2014-04-17 14:00
Modified
2024-08-06 09:05
Severity ?
EPSS score ?
Summary
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/66148 | vdb-entry, x_refsource_BID | |
| https://jira.spring.io/browse/SPR-11376 | x_refsource_CONFIRM | |
| http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html | x_refsource_CONFIRM | |
| http://rhn.redhat.com/errata/RHSA-2014-0400.html | vendor-advisory, x_refsource_REDHAT | |
| http://secunia.com/advisories/57915 | third-party-advisory, x_refsource_SECUNIA |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T09:05:38.783Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "66148",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/66148"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.spring.io/browse/SPR-11376"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
},
{
"name": "RHSA-2014:0400",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0400.html"
},
{
"name": "57915",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/57915"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-01-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-04-19T01:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "66148",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/66148"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.spring.io/browse/SPR-11376"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
},
{
"name": "RHSA-2014:0400",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0400.html"
},
{
"name": "57915",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/57915"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2014-0054",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "66148",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/66148"
},
{
"name": "https://jira.spring.io/browse/SPR-11376",
"refsource": "CONFIRM",
"url": "https://jira.spring.io/browse/SPR-11376"
},
{
"name": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
},
{
"name": "RHSA-2014:0400",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0400.html"
},
{
"name": "57915",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/57915"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2014-0054",
"datePublished": "2014-04-17T14:00:00",
"dateReserved": "2013-12-03T00:00:00",
"dateUpdated": "2024-08-06T09:05:38.783Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2011-2730
Vulnerability from cvelistv5
Published
2012-12-05 17:00
Modified
2024-08-06 23:08
Severity ?
EPSS score ?
Summary
VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T23:08:23.793Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://support.springsource.com/security/cve-2011-2730"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=677814"
},
{
"name": "RHSA-2013:0192",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0192.html"
},
{
"name": "RHSA-2013:0198",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0198.html"
},
{
"name": "RHSA-2013:0195",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0195.html"
},
{
"name": "RHSA-2013:0221",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0221.html"
},
{
"name": "DSA-2504",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2012/dsa-2504"
},
{
"name": "RHSA-2013:0196",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0196.html"
},
{
"name": "55155",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/55155"
},
{
"name": "RHSA-2013:0193",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0193.html"
},
{
"name": "51984",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/51984"
},
{
"name": "52054",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/52054"
},
{
"name": "RHSA-2013:0191",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0191.html"
},
{
"name": "RHSA-2013:0533",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0533.html"
},
{
"name": "RHSA-2013:0197",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0197.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"
},
{
"name": "1029151",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1029151"
},
{
"name": "RHSA-2013:0194",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0194.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.google.com/document/d/1dc1xxO8UMFaGLOwgkykYdghGWm_2Gn0iCrxFsympqcE/edit"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2011-09-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka \"Expression Language Injection.\""
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-08T16:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://support.springsource.com/security/cve-2011-2730"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=677814"
},
{
"name": "RHSA-2013:0192",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0192.html"
},
{
"name": "RHSA-2013:0198",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0198.html"
},
{
"name": "RHSA-2013:0195",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0195.html"
},
{
"name": "RHSA-2013:0221",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0221.html"
},
{
"name": "DSA-2504",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2012/dsa-2504"
},
{
"name": "RHSA-2013:0196",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0196.html"
},
{
"name": "55155",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/55155"
},
{
"name": "RHSA-2013:0193",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0193.html"
},
{
"name": "51984",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/51984"
},
{
"name": "52054",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/52054"
},
{
"name": "RHSA-2013:0191",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0191.html"
},
{
"name": "RHSA-2013:0533",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0533.html"
},
{
"name": "RHSA-2013:0197",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0197.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"
},
{
"name": "1029151",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1029151"
},
{
"name": "RHSA-2013:0194",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0194.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.google.com/document/d/1dc1xxO8UMFaGLOwgkykYdghGWm_2Gn0iCrxFsympqcE/edit"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2011-2730",
"datePublished": "2012-12-05T17:00:00",
"dateReserved": "2011-07-11T00:00:00",
"dateUpdated": "2024-08-06T23:08:23.793Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2013-4152
Vulnerability from cvelistv5
Published
2014-01-23 21:00
Modified
2024-08-06 16:30
Severity ?
EPSS score ?
Summary
The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:30:49.922Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/spring-projects/spring-framework/pull/317/files"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.gopivotal.com/security/cve-2013-4152"
},
{
"name": "61951",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/61951"
},
{
"name": "20131102 XXE Injection in Spring Framework",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2013/Nov/14"
},
{
"name": "RHSA-2014:0254",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0254.html"
},
{
"name": "20130822 CVE-2013-4152 XML External Entity (XXE) injection in Spring Framework",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://seclists.org/bugtraq/2013/Aug/154"
},
{
"name": "DSA-2842",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2014/dsa-2842"
},
{
"name": "RHSA-2014:0212",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0212.html"
},
{
"name": "RHSA-2014:0400",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0400.html"
},
{
"name": "RHSA-2014:0245",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0245.html"
},
{
"name": "57915",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/57915"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.springsource.org/browse/SPR-10806"
},
{
"name": "56247",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/56247"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-08-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-11-25T19:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/spring-projects/spring-framework/pull/317/files"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.gopivotal.com/security/cve-2013-4152"
},
{
"name": "61951",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/61951"
},
{
"name": "20131102 XXE Injection in Spring Framework",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2013/Nov/14"
},
{
"name": "RHSA-2014:0254",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0254.html"
},
{
"name": "20130822 CVE-2013-4152 XML External Entity (XXE) injection in Spring Framework",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://seclists.org/bugtraq/2013/Aug/154"
},
{
"name": "DSA-2842",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2014/dsa-2842"
},
{
"name": "RHSA-2014:0212",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0212.html"
},
{
"name": "RHSA-2014:0400",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0400.html"
},
{
"name": "RHSA-2014:0245",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0245.html"
},
{
"name": "57915",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/57915"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.springsource.org/browse/SPR-10806"
},
{
"name": "56247",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/56247"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-4152",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/spring-projects/spring-framework/pull/317/files",
"refsource": "CONFIRM",
"url": "https://github.com/spring-projects/spring-framework/pull/317/files"
},
{
"name": "http://www.gopivotal.com/security/cve-2013-4152",
"refsource": "CONFIRM",
"url": "http://www.gopivotal.com/security/cve-2013-4152"
},
{
"name": "61951",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/61951"
},
{
"name": "20131102 XXE Injection in Spring Framework",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2013/Nov/14"
},
{
"name": "RHSA-2014:0254",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0254.html"
},
{
"name": "20130822 CVE-2013-4152 XML External Entity (XXE) injection in Spring Framework",
"refsource": "BUGTRAQ",
"url": "http://seclists.org/bugtraq/2013/Aug/154"
},
{
"name": "DSA-2842",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2014/dsa-2842"
},
{
"name": "RHSA-2014:0212",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0212.html"
},
{
"name": "RHSA-2014:0400",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0400.html"
},
{
"name": "RHSA-2014:0245",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0245.html"
},
{
"name": "57915",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/57915"
},
{
"name": "https://jira.springsource.org/browse/SPR-10806",
"refsource": "CONFIRM",
"url": "https://jira.springsource.org/browse/SPR-10806"
},
{
"name": "56247",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/56247"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-4152",
"datePublished": "2014-01-23T21:00:00",
"dateReserved": "2013-06-12T00:00:00",
"dateUpdated": "2024-08-06T16:30:49.922Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}