CVE-2015-3192
MEDIUM5.5EPSS 1.4%Pivotal Spring Framework DoS Attack with XML Input
Published: 10/17/2018Modified: 3/15/2024
Description
Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.
Affected packages (2)
- Debian/libspring-javafrom 0, < 4.1.9-1
- Maven/org.springframework:spring-webfrom 0, < 3.2.14
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.5 | CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
References (26)
- ADVISORYhttps://github.com/advisories/GHSA-6v7w-535j-rq5m
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2015-3192
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2015-3192
- PATCHhttps://github.com/spring-projects/spring-framework
- WEBhttp://lists.fedoraproject.org/pipermail/package-announce/2015-July/162015.html
- WEBhttp://lists.fedoraproject.org/pipermail/package-announce/2015-July/162017.html
- WEBhttp://rhn.redhat.com/errata/RHSA-2016-1592.html
- WEBhttp://rhn.redhat.com/errata/RHSA-2016-1593.html
- WEBhttp://rhn.redhat.com/errata/RHSA-2016-2035.html
- WEBhttp://rhn.redhat.com/errata/RHSA-2016-2036.html
- WEBhttps://access.redhat.com/errata/RHSA-2016:1218
- WEBhttps://access.redhat.com/errata/RHSA-2016:1219
- WEBhttps://github.com/spring-projects/spring-framework/commit/0411435bac835de88a80a64b3f67b1b89244e907
- WEBhttps://github.com/spring-projects/spring-framework/commit/38b8262e1e2db9be9d2171d81547da5c65ba7e09
- WEBhttps://github.com/spring-projects/spring-framework/commit/5a711c05ec750f069235597173084c2ee7962424
- WEBhttps://github.com/spring-projects/spring-framework/commit/9c3580d04e84d25a90ef4c249baee1b4e02df15e
- WEBhttps://github.com/spring-projects/spring-framework/commit/d79ec68db40c381b8e205af52748ebd3163ee33b
- WEBhttps://github.com/spring-projects/spring-framework/commit/e4651d6b50c5bc85c84ff537859c212ac4e33434
- WEBhttps://github.com/spring-projects/spring-framework/issues/17727
- WEBhttps://github.com/spring-projects/spring-framework/issues/20352
- WEBhttps://jira.spring.io/browse/SPR-13136
- WEBhttps://jira.spring.io/browse/SPR-13136?redirect=false
- WEBhttps://lists.debian.org/debian-lts-announce/2019/07/msg00012.html
- WEBhttps://spring.io/security/cve-2015-3192
- WEBhttp://www.securityfocus.com/bid/90853
- WEBhttp://www.securitytracker.com/id/1036587