Description

The (1) DOMConverter, (2) JDOMConverter, (3) DOM4JConverter, and (4) XOMConverter functions in Direct Web Remoting (DWR) through 2.0.10 and 3.x through 3.0.RC2 allow remote attackers to read arbitrary files via DOM data containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Remediation

References

http://jvn.jp/en/jp/JVN91502163/index.html

http://jvndb.jvn.jp/jvndb/JVNDB-2014-000117

http://www.securityfocus.com/bid/71093

Related Vulnerabilities

CVE-2018-1000862 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2019-10243 Vulnerability in maven package org.eclipse.kura:target-platform

CVE-2017-1000395 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2018-1322 Vulnerability in maven package org.apache.syncope:syncope-core

CVE-2011-2204 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

Severity

Critical

Classification

CWE-200