XXE in Castor_project Castor

CVE-2014-3004

The default configuration for the Xerces SAX Parser in Castor before 1.3.3 allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XML document.

Vulnerability class: XXE (XML External Entity)

EPSS: 0.036 (88.0th percentile) — read the EPSS interpretation.

Affected products

Castor_project Castor — versions 1.3, 1.3.1
Opensuse_project Opensuse — versions 12.3
Opensuse — versions 13.1
N/a — versions n/a

Weakness classification (CWE)

CWE-611 — Improper Restriction of XML External Entity Reference (XXE)

References

openSUSE-SU-2014:0822 (vendor-advisory, Third Party Advisory, x_refsource_SUSE)
20140527 CVE-2014-3004 - Castor Library Default Config could lead to XML External Entity (XXE) Attacks (mailing-list, Exploit, x_refsource_FULLDISC)
59427 (x_refsource_SECUNIA, third-party-advisory)
67676 (vdb-entry, x_refsource_BID, Broken Link)
cve@mitre.org (x_refsource_MISC)
cve@mitre.org (x_refsource_MISC)
cve@mitre.org (Exploit, x_refsource_MISC)
cve@mitre.org (x_refsource_MISC)