GHSA-f93f-g33r-8pcp

Suggest an improvement
Source
https://github.com/advisories/GHSA-f93f-g33r-8pcp
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-f93f-g33r-8pcp/GHSA-f93f-g33r-8pcp.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-f93f-g33r-8pcp
Aliases
Published
2022-05-13T01:02:39Z
Modified
2024-02-28T00:16:16.860335Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Improper Restriction of XML External Entity Reference in Spring Framework
Details

When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.

Database specific
{
    "nvd_published_at": "2017-05-25T17:29:00Z",
    "cwe_ids": [
        "CWE-611"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-07T22:58:08Z"
}
References

Affected packages

Maven / org.springframework:spring-webmvc

Package

Name
org.springframework:spring-webmvc
View open source insights on deps.dev
Purl
pkg:maven/org.springframework/spring-webmvc

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0
Fixed
4.0.5

Affected versions

4.*

4.0.0.RELEASE
4.0.1.RELEASE
4.0.2.RELEASE
4.0.3.RELEASE
4.0.4.RELEASE

Maven / org.springframework:spring-webmvc

Package

Name
org.springframework:spring-webmvc
View open source insights on deps.dev
Purl
pkg:maven/org.springframework/spring-webmvc

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.2.8

Affected versions

3.*

3.0.0.RELEASE
3.0.1.RELEASE
3.0.2.RELEASE
3.0.3.RELEASE
3.0.4.RELEASE
3.0.5.RELEASE
3.0.6.RELEASE
3.0.7.RELEASE
3.1.0.RELEASE
3.1.1.RELEASE
3.1.2.RELEASE
3.1.3.RELEASE
3.1.4.RELEASE
3.2.0.RELEASE
3.2.1.RELEASE
3.2.2.RELEASE
3.2.3.RELEASE
3.2.4.RELEASE
3.2.5.RELEASE
3.2.6.RELEASE
3.2.7.RELEASE