CVE-2014-0054 Medium Severity Vulnerability detected by WhiteSource #41
Labels
security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-bolt-for-github
bot
added
the
security vulnerability
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2014-0054 - Medium Severity Vulnerability
null
path: /root/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 23068bfa8fba8e934988efafc64fa2cf0fdb8462
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
Publish Date: 2014-04-17
URL: CVE-2014-0054
Base Score Metrics not available
Type: Upgrade version
Origin: https://jira.spring.io/browse/SPR-11376
Release Date: 2014-02-18
Fix Resolution: Upgrade to version 3.2.8, 4.0.2 or greater
Step up your Open Source Security Game with WhiteSource here
The text was updated successfully, but these errors were encountered: