CVE-2015-3192 — Pivotal Spring Framework DoS Attack with XML Input

Description

Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.

How to fix CVE-2015-3192

To remediate CVE-2015-3192, upgrade the affected package to a fixed version below.

—upgrade to 4.1.9-1 or later
—upgrade to 3.2.14 or later

Is CVE-2015-3192 being exploited?

Low — EPSS is 1.4%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 4.1.9-1
from 0, < 3.2.14

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.5	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References (26)

ADVISORYgithub.com/advisories/GHSA-6v7w-535j-rq5m
ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-3192
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2015-3192
PATCHgithub.com/spring-projects/spring-framework
WEB