GHSA-hqw5-62gp-rqgm

Source

https://github.com/advisories/GHSA-hqw5-62gp-rqgm

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-hqw5-62gp-rqgm/GHSA-hqw5-62gp-rqgm.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-hqw5-62gp-rqgm

Aliases

CVE-2014-5325

Published

2022-05-17T03:46:06Z

Modified

2024-12-07T05:42:57.513190Z

Summary

Exposure of Sensitive Information to an Unauthorized Actor in Direct Web Remoting

Details

The (1) DOMConverter, (2) JDOMConverter, (3) DOM4JConverter, and (4) XOMConverter functions in Direct Web Remoting (DWR) through 2.0.10 and 3.x through 3.0.RC2 allow remote attackers to read arbitrary files via DOM data containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Database specific

{
    "nvd_published_at": "2014-11-24T02:59:00Z",
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-06T21:05:45Z"
}

References

Affected packages

Maven / org.directwebremoting:dwr

Package

Name: org.directwebremoting:dwr; View open source insights on deps.dev
Purl: pkg:maven/org.directwebremoting/dwr

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.0.11

Affected versions

2.*

2.0.rc1

2.0.rc2

2.0.1

2.0.2

2.0.3

2.0.8

2.0.9

2.0.10

Maven / org.directwebremoting:dwr

Package

Name: org.directwebremoting:dwr; View open source insights on deps.dev
Purl: pkg:maven/org.directwebremoting/dwr

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.M1

Fixed

3.0.RC3

Affected versions

3.*

3.0.M1

Database specific

{
    "last_known_affected_version_range": "<= 3.0.RC2"
}