CVE-2014-0225 — Improper Restriction of XML External Entity Reference in Spring Framework

Description

When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.

How to fix CVE-2014-0225

To remediate CVE-2014-0225, upgrade the affected package to a fixed version below.

—upgrade to 3.0.6.RELEASE-14 or later
—upgrade to 4.0.5 or later

Is CVE-2014-0225 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 3.0.6.RELEASE-14
>= 4.0.0, < 4.0.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-0225
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2014-0225
WEBgithub.com/spring-projects/spring-framework/commit/44ee51a6c9c3734b3fcf9a20817117e86047d753
WEBgithub.com/spring-projects/spring-framework/commit/8e096aeef55287dc829484996c9330cf755891a1