Description

When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.

Remediation

References

https://pivotal.io/security/cve-2014-0225

Related Vulnerabilities

CVE-2011-2894 Vulnerability in maven package org.springframework.security:spring-security-core

CVE-2023-33201 Vulnerability in maven package org.bouncycastle:bcprov-jdk15to18

CVE-2021-25642 Vulnerability in maven package org.apache.hadoop:hadoop-yarn-server-resourcemanager

CVE-2022-41935 Vulnerability in maven package org.xwiki.platform:xwiki-platform-livetable-ui

CVE-2020-13936 Vulnerability in maven package org.apache.velocity:velocity-engine-core

Severity

Critical

Classification

CWE-611 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Vendor Advisory