CVE-2014-0225: Improper Restriction of XML External Entity Reference
(updated )
When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions does not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.
References
- github.com/advisories/GHSA-f93f-g33r-8pcp
- github.com/spring-projects/spring-framework/commit/8e096aeef55287dc829484996c9330cf755891a1
- github.com/spring-projects/spring-framework/commit/c6503ebbf7c9e21ff022c58706dbac5417b2b5eb
- jira.spring.io/browse/SPR-11768
- nvd.nist.gov/vuln/detail/CVE-2014-0225
- pivotal.io/security/cve-2014-0225
Detect and mitigate CVE-2014-0225 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →