What is CVE-2014-0054?

CVE-2014-0054 is a vulnerability in Springsource Spring_framework, classified under Cross-Site Request Forgery (CSRF). Published 2014-04-17.

Is CVE-2014-0054 known to be exploited?

5 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

CSRF in Springsource Spring_framework

CVE-2014-0054

The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, a…

Vulnerability class: CSRF (Cross-Site Request Forgery)

EPSS: 0.025 (85.8th percentile) — read the EPSS interpretation.

Affected products

Springsource Spring_framework — versions 3.0.0, 3.0.0.m1, 3.0.0.m2
Vmware Spring_framework — versions 3.0.6, 3.0.7, 3.1.0
N/a — versions n/a

Weakness classification (CWE)

CWE-352 — Cross-Site Request Forgery (CSRF)

Public proof-of-concept exploits

References

66148 (vdb-entry, x_refsource_BID)
secalert@redhat.com (x_refsource_CONFIRM, Vendor Advisory)
secalert@redhat.com (x_refsource_CONFIRM)
RHSA-2014:0400 (x_refsource_REDHAT, vendor-advisory)
57915 (x_refsource_SECUNIA, third-party-advisory, Vendor Advisory)

Frequently asked questions

What is CVE-2014-0054?: CVE-2014-0054 is a vulnerability in Springsource Spring_framework, classified under Cross-Site Request Forgery (CSRF). Published 2014-04-17.
Is CVE-2014-0054 known to be exploited?: 5 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.