Cross-Site Request Forgery in Spring Framework

GHSA-8cmm-qj8g-fcp6 · CVE-2014-0054

Published May 13, 2022 · Modified Dec 4, 2024

Description

The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2014-0054
WEB https://github.com/spring-projects/spring-framework/issues/16003
WEB https://github.com/spring-projects/spring-framework/commit/1a8629d40825c073b6863ae2ab748b647b28506a
WEB https://github.com/spring-projects/spring-framework/commit/1c5cab2a4069ec3239c531d741aeb07a434f521b
WEB https://github.com/spring-projects/spring-framework/commit/edba32b3093703d5e9ed42b5b8ec23ecc1998398
WEB https://github.com/spring-projects/spring-framework/commit/fb0683c066e74e9667d6cd8c5fa01f674c68c3be
WEB http://rhn.redhat.com/errata/RHSA-2014-0400.html
WEB http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes