CVE-2014-0054 Information

Description

The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution which allows remote attackers to read arbitrary files cause a denial of service and conduct CSRF attacks via crafted XML aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152 CVE-2013-7315 and CVE-2013-6429.

Reference

http://rhn.redhat.com/errata/RHSA-2014-0400.html http://secunia.com/advisories/57915 http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html http://www.securityfocus.com/bid/66148 https://jira.spring.io/browse/SPR-11376