GHSA-6v7w-535j-rq5m

Suggest an improvement
Source
https://github.com/advisories/GHSA-6v7w-535j-rq5m
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6v7w-535j-rq5m/GHSA-6v7w-535j-rq5m.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-6v7w-535j-rq5m
Aliases
Published
2018-10-17T20:29:12Z
Modified
2024-03-15T05:46:26.165089Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Pivotal Spring Framework DoS Attack with XML Input
Details

Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.

Database specific
{
    "nvd_published_at": "2016-07-12T19:59:00Z",
    "cwe_ids": [
        "CWE-119"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:20:17Z"
}
References

Affected packages

Maven / org.springframework:spring-web

Package

Name
org.springframework:spring-web
View open source insights on deps.dev
Purl
pkg:maven/org.springframework/spring-web

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.2.14

Affected versions

1.*

1.0-rc1
1.0
1.0.1
1.1-rc1
1.1-rc2
1.1
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.2-rc1
1.2-rc2
1.2
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
1.2.9

2.*

2.0-m1
2.0-m2
2.0-m3
2.0-m4
2.0-m5
2.0-rc1
2.0-rc2
2.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.5
2.5.1
2.5.2
2.5.3
2.5.4
2.5.5
2.5.6
2.5.6.SEC01
2.5.6.SEC02
2.5.6.SEC03

3.*

3.0.0.RELEASE
3.0.1.RELEASE
3.0.2.RELEASE
3.0.3.RELEASE
3.0.4.RELEASE
3.0.5.RELEASE
3.0.6.RELEASE
3.0.7.RELEASE
3.1.0.RELEASE
3.1.1.RELEASE
3.1.2.RELEASE
3.1.3.RELEASE
3.1.4.RELEASE
3.2.0.RELEASE
3.2.1.RELEASE
3.2.2.RELEASE
3.2.3.RELEASE
3.2.4.RELEASE
3.2.5.RELEASE
3.2.6.RELEASE
3.2.7.RELEASE
3.2.8.RELEASE
3.2.9.RELEASE
3.2.10.RELEASE
3.2.11.RELEASE
3.2.12.RELEASE
3.2.13.RELEASE

Maven / org.springframework:spring-web

Package

Name
org.springframework:spring-web
View open source insights on deps.dev
Purl
pkg:maven/org.springframework/spring-web

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0
Fixed
4.1.7

Affected versions

4.*

4.0.0.RELEASE
4.0.1.RELEASE
4.0.2.RELEASE
4.0.3.RELEASE
4.0.4.RELEASE
4.0.5.RELEASE
4.0.6.RELEASE
4.0.7.RELEASE
4.0.8.RELEASE
4.0.9.RELEASE
4.1.0.RELEASE
4.1.1.RELEASE
4.1.2.RELEASE
4.1.3.RELEASE
4.1.4.RELEASE
4.1.5.RELEASE
4.1.6.RELEASE

Maven / org.springframework:spring-web

Package

Name
org.springframework:spring-web
View open source insights on deps.dev
Purl
pkg:maven/org.springframework/spring-web

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0.RC2
Fixed
5.0.0.RC3

Affected versions

5.*

5.0.0.RC2