CVE-2014-0225

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2014-0225
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2014-0225.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2014-0225
Aliases
Related
Published
2017-05-25T17:29:00Z
Modified
2024-06-30T12:01:22Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.

References

Affected packages

Debian:11 / libspring-java

Package

Name
libspring-java
Purl
pkg:deb/debian/libspring-java?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.0.6.RELEASE-14

Ecosystem specific

{
    "urgency": "low"
}

Debian:12 / libspring-java

Package

Name
libspring-java
Purl
pkg:deb/debian/libspring-java?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.0.6.RELEASE-14

Ecosystem specific

{
    "urgency": "low"
}

Debian:13 / libspring-java

Package

Name
libspring-java
Purl
pkg:deb/debian/libspring-java?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.0.6.RELEASE-14

Ecosystem specific

{
    "urgency": "low"
}