CVE-2014-0054

medium VMware
CVSS v3 Base Score
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
EPSS Score
2.5%
Exploitation probability in 30 days
Top 14% most likely to be exploited
Attack Characteristics
Attack Vector
Network
Attack Complexity
M
Confidentiality
P
Integrity
P
Availability
P
Published: April 17, 2014 (4410 days ago)
Last Modified: May 6, 2026
Vendor: VMware
Source: NVD

Description

The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.

CWE

CWE-352

Affected Products

springsource spring frameworkvmware spring framework

References

🔗 rhn.redhat.com 🔗 secunia.com 🔗 www.oracle.com 🔗 www.securityfocus.com 🔗 jira.spring.io