CVE-2014-5325 – org.directwebremoting:dwr

Package

Manager: maven
Name: org.directwebremoting:dwr
Vulnerable Version: >=0 <2.0.11 || >=3.0.m1 <3.0.rc3

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00633 pctl0.69451

Details

Exposure of Sensitive Information to an Unauthorized Actor in Direct Web Remoting The (1) DOMConverter, (2) JDOMConverter, (3) DOM4JConverter, and (4) XOMConverter functions in Direct Web Remoting (DWR) through 2.0.10 and 3.x through 3.0.RC2 allow remote attackers to read arbitrary files via DOM data containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Metadata

Created: 2022-05-17T03:46:06Z
Modified: 2022-07-06T21:05:45Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-hqw5-62gp-rqgm/GHSA-hqw5-62gp-rqgm.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-hqw5-62gp-rqgm
Finding: F017
Auto approve: 1