CVE-2014-0225

Summary

When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.

Affected Software

VendorProductVersion RangeStatus
PivotalSpring Framework4.0.0 to 4.0.4affected
PivotalSpring Framework3.0.0 to 3.2.8affected
PivotalSpring FrameworkEarlier unsupported versions may be affectedaffected

Weaknesses

  • XXE

ADP Enrichment

CVE Program Container

Additional References

References