MEDIUM 5.5 Maven
Pivotal Spring Framework DoS Attack with XML Input
GHSA-6v7w-535j-rq5m · CVE-2015-3192
Published · Modified
Description
Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.
References
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2015-3192
- WEB https://github.com/spring-projects/spring-framework/issues/17727
- WEB https://github.com/spring-projects/spring-framework/issues/20352
- WEB https://github.com/spring-projects/spring-framework/commit/0411435bac835de88a80a64b3f67b1b89244e907
- WEB https://github.com/spring-projects/spring-framework/commit/38b8262e1e2db9be9d2171d81547da5c65ba7e09
- WEB https://github.com/spring-projects/spring-framework/commit/5a711c05ec750f069235597173084c2ee7962424
- WEB https://github.com/spring-projects/spring-framework/commit/9c3580d04e84d25a90ef4c249baee1b4e02df15e
- WEB https://github.com/spring-projects/spring-framework/commit/d79ec68db40c381b8e205af52748ebd3163ee33b
- WEB https://github.com/spring-projects/spring-framework/commit/e4651d6b50c5bc85c84ff537859c212ac4e33434
- WEB https://spring.io/security/cve-2015-3192
- WEB https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html
- WEB https://jira.spring.io/browse/SPR-13136?redirect=false
- WEB https://jira.spring.io/browse/SPR-13136
- PACKAGE https://github.com/spring-projects/spring-framework
- ADVISORY https://github.com/advisories/GHSA-6v7w-535j-rq5m
- WEB https://access.redhat.com/errata/RHSA-2016:1219
- WEB https://access.redhat.com/errata/RHSA-2016:1218
- WEB http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162015.html
- WEB http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162017.html
- WEB http://rhn.redhat.com/errata/RHSA-2016-1592.html
- WEB http://rhn.redhat.com/errata/RHSA-2016-1593.html
- WEB http://rhn.redhat.com/errata/RHSA-2016-2035.html
- WEB http://rhn.redhat.com/errata/RHSA-2016-2036.html
- WEB http://www.securityfocus.com/bid/90853
- WEB http://www.securitytracker.com/id/1036587
Ready to move
Start Securing
Free, no credit card | First findings in minutes