github - ghsa-8cmm-qj8g-fcp6

ghsa-8cmm-qj8g-fcp6

Vulnerability from github

Published

2022-05-13 01:02

Modified

2024-02-27 23:40

Summary

Cross-Site Request Forgery in Spring Framework

Details

The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework:spring-webmvc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.2.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework:spring-webmvc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2014-0054"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-352"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-07T23:09:05Z",
    "nvd_published_at": "2014-04-17T14:55:00Z",
    "severity": "MODERATE"
  },
  "details": "The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.",
  "id": "GHSA-8cmm-qj8g-fcp6",
  "modified": "2024-02-27T23:40:01Z",
  "published": "2022-05-13T01:02:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0054"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spring-projects/spring-framework/issues/16003"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spring-projects/spring-framework/commit/1a8629d40825c073b6863ae2ab748b647b28506a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spring-projects/spring-framework/commit/1c5cab2a4069ec3239c531d741aeb07a434f521b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spring-projects/spring-framework/commit/edba32b3093703d5e9ed42b5b8ec23ecc1998398"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spring-projects/spring-framework/commit/fb0683c066e74e9667d6cd8c5fa01f674c68c3be"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-0400.html"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Cross-Site Request Forgery in Spring Framework"
}

cve-2014-0054

Vulnerability from cvelistv5

Published

2014-04-17 14:00

Modified

2024-08-06 09:05

Severity

Summary

References

URL	Tags
http://www.securityfocus.com/bid/66148	vdb-entry, x_refsource_BID
https://jira.spring.io/browse/SPR-11376	x_refsource_CONFIRM
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html	x_refsource_CONFIRM
http://rhn.redhat.com/errata/RHSA-2014-0400.html	vendor-advisory, x_refsource_REDHAT
http://secunia.com/advisories/57915	third-party-advisory, x_refsource_SECUNIA

Impacted products

Vendor	Product
n/a	n/a

Show details on NVD website