Fluid Attacks Database

Description

Improper Restriction of XML External Entity Reference in Spring Framework When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	libspring-java	>=0 <3.0.6.release-14	3.0.6.release-14
maven	org.springframework:spring-webmvc	>=4.0.0 <4.0.5 \|\| >=3.0.0 <3.2.8	4.0.5, 3.2.8
debian 14	libspring-java	>=0 <3.0.6.release-14	3.0.6.release-14
debian 11	libspring-java	>=0 <3.0.6.release-14	3.0.6.release-14
maven	org.springframework:spring-oxm	>=3-alpha0 <=3.2.8.release \|\| >=4-alpha0 <=4.0.4.release	3.2.9.release, 4.0.5.release
debian 12	libspring-java	>=0 <3.0.6.release-14	3.0.6.release-14
maven	org.springframework:spring-web	>=3 <=3.2.8.release \|\| >=4 <=4.0.4.release	3.2.9.release, 4.0.5.release

Aliases

1. CVE-2014-02252. NVD-2014-02253. OSV-DEBIAN-2014-02254. OSV-2014-02255. GCVE-2014-02256. SECURITY-TRACKER-CVE-2014-02257. GOPIVOTAL-cve-2014-02258. bugzilla.redhat.com

References

1. https://github.com/spring-projects/spring-framework/commit/44ee51a6c9c3734b3fcf9a20817117e86047d7532. https://github.com/spring-projects/spring-framework/commit/8e096aeef55287dc829484996c9330cf755891a13. https://github.com/spring-projects/spring-framework/commit/c6503ebbf7c9e21ff022c58706dbac5417b2b5eb4. https://jira.spring.io/browse/SPR-117685. https://pivotal.io/security/cve-2014-0225