What is CVE-2014-0225?

CVE-2014-0225 is a high-severity vulnerability in Pivotal Spring Framework, classified under Improper Restriction of XML External Entity Reference (XXE). CVSS score: 8.8/10. Published 2017-05-25.

How severe is CVE-2014-0225?

High severity. CVSS v3 base score is 8.8 out of 10.

Is CVE-2014-0225 known to be exploited?

3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

XXE in Pivotal Spring Framework

CVE-2014-0225

When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an X…

Vulnerability class: XXE (XML External Entity)

EPSS: 0.002 (46.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.8 (High). Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.

Affected products

Pivotal Spring Framework — versions Earlier unsupported versions may be affected, 3.0.0 to 3.2.8, 4.0.0 to 4.0.4
Pivotal_software Spring_framework — versions 3.0.0, 3.1.0, 3.2.0
Vmware Spring_framework — versions 3.0.1, 3.0.2, 3.0.3

Weakness classification (CWE)

CWE-611 — Improper Restriction of XML External Entity Reference (XXE)

Public proof-of-concept exploits

References

security_alert@emc.com (x_refsource_CONFIRM, Vendor Advisory)

Frequently asked questions

What is CVE-2014-0225?: CVE-2014-0225 is a high-severity vulnerability in Pivotal Spring Framework, classified under Improper Restriction of XML External Entity Reference (XXE). CVSS score: 8.8/10. Published 2017-05-25.
How severe is CVE-2014-0225?: High severity. CVSS v3 base score is 8.8 out of 10.
Is CVE-2014-0225 known to be exploited?: 3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.