What is CVE-2014-0054?

CVE-2014-0054 is a vulnerability in the Pivotal Spring Framework that could allow a remote attacker to obtain sensitive information.

How does CVE-2014-0054 work?

CVE-2014-0054 is caused by the Jaxb2RootElementHttpMessageConverter in Spring MVC not disabling external entity resolution, allowing remote attackers to read arbitrary files, cause denial of service, and conduct CSRF attacks via crafted XML.

What is the severity of CVE-2014-0054?

The severity of CVE-2014-0054 is medium with a CVSS score of 6.8.

Which software versions are affected by CVE-2014-0054?

The Spring MVC versions 3.2.8 and 4.0.0 before 4.0.2, and IBM Security Directory Suite VA 8.0.1-8.0.1.19 are affected by CVE-2014-0054.

How can I fix CVE-2014-0054?

To fix CVE-2014-0054, upgrade the Spring MVC to version 3.2.8 or 4.0.2, or apply the appropriate remedy provided by your software vendor.

Vulnerability/
CVE-2014-0054

medium

6.8

CWE

352

12/3/2014

17/4/2014

13/5/2022

6/8/2024

CVE-2014-0054: CSRF

First published: Wed Mar 12 2014(Updated: )

Pivotal Spring Framework could allow a remote attacker to obtain sensitive information, caused by an XML External Entity Injection (XXE) error in Jaxb2RootElementHttpMessageConverter when processing XML data. By sending specially-crafted XML data, an attacker could exploit this vulnerability to read arbitrary files and obtain sensitive information.

Credit: secalert@redhat.com

Affected Software	Affected Version	How to fix
redhat/spring mvc	<3.2.8	3.2.8
redhat/spring mvc	<4.0.2	4.0.2
IBM Security Directory Suite VA	<=8.0.1-8.0.1.19
SpringSource Spring Framework	=3.0.0
SpringSource Spring Framework	=3.0.0-m1
SpringSource Spring Framework	=3.0.0-m2
SpringSource Spring Framework	=3.0.0-m3
SpringSource Spring Framework	=3.0.0-m4
SpringSource Spring Framework	=3.0.0-rc1
SpringSource Spring Framework	=3.0.0-rc2
SpringSource Spring Framework	=3.0.0-rc3
SpringSource Spring Framework	=3.0.0.m1
SpringSource Spring Framework	=3.0.0.m2
SpringSource Spring Framework	=3.0.1
SpringSource Spring Framework	=3.0.2
SpringSource Spring Framework	=3.0.3
SpringSource Spring Framework	=3.0.4
SpringSource Spring Framework	=3.0.5
SpringSource Spring Framework	=3.2.5
SpringSource Spring Framework	=3.2.6
SpringSource Spring Framework	=4.0.0-rc1
SpringSource Spring Framework	=4.0.1
VMware Spring Framework	<=3.2.7
VMware Spring Framework	=3.0.6
VMware Spring Framework	=3.0.7
VMware Spring Framework	=3.1.0
VMware Spring Framework	=3.1.1
VMware Spring Framework	=3.1.2
VMware Spring Framework	=3.1.3
VMware Spring Framework	=3.1.4
VMware Spring Framework	=3.2.0
VMware Spring Framework	=3.2.1
VMware Spring Framework	=3.2.2
VMware Spring Framework	=3.2.3
VMware Spring Framework	=3.2.4
VMware Spring Framework	=4.0.0-milestone1
VMware Spring Framework	=4.0.0-milestone2
maven/org.springframework:spring-webmvc	>=4.0.0<4.0.2	4.0.2
maven/org.springframework:spring-webmvc	<3.2.8	3.2.8

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

IBM-7001693

Frequently Asked Questions

What is CVE-2014-0054?
CVE-2014-0054 is a vulnerability in the Pivotal Spring Framework that could allow a remote attacker to obtain sensitive information.
How does CVE-2014-0054 work?
CVE-2014-0054 is caused by the Jaxb2RootElementHttpMessageConverter in Spring MVC not disabling external entity resolution, allowing remote attackers to read arbitrary files, cause denial of service, and conduct CSRF attacks via crafted XML.
What is the severity of CVE-2014-0054?
The severity of CVE-2014-0054 is medium with a CVSS score of 6.8.
Which software versions are affected by CVE-2014-0054?
The Spring MVC versions 3.2.8 and 4.0.0 before 4.0.2, and IBM Security Directory Suite VA 8.0.1-8.0.1.19 are affected by CVE-2014-0054.
How can I fix CVE-2014-0054?
To fix CVE-2014-0054, upgrade the Spring MVC to version 3.2.8 or 4.0.2, or apply the appropriate remedy provided by your software vendor.

collector/redhat-bugzilla
alias/CVE-2014-0054
collector/nvd-index
agent/type
agent/first-publish-date
collector/github-advisory-latest
source/GitHub
alias/GHSA-8cmm-qj8g-fcp6
agent/software-canonical-lookup
agent/references
agent/weakness
agent/severity
agent/last-modified-date
agent/softwarecombine
agent/author
agent/description
agent/event
collector/github-advisory
collector/ibm-support
source/IBM
agent/tags
collector/mitre-cve
source/MITRE
package-manager/redhat
vendor/springsource
canonical/springsource spring framework
version/springsource spring framework/3.0.0
version/springsource spring framework/3.0.0-m1
version/springsource spring framework/3.0.0-m2
version/springsource spring framework/3.0.0-m3
version/springsource spring framework/3.0.0-m4
version/springsource spring framework/3.0.0-rc1
version/springsource spring framework/3.0.0-rc2
version/springsource spring framework/3.0.0-rc3
version/springsource spring framework/3.0.0.m1
version/springsource spring framework/3.0.0.m2
version/springsource spring framework/3.0.1
version/springsource spring framework/3.0.2
version/springsource spring framework/3.0.3
version/springsource spring framework/3.0.4
version/springsource spring framework/3.0.5
version/springsource spring framework/3.2.5
version/springsource spring framework/3.2.6
version/springsource spring framework/4.0.0-rc1
version/springsource spring framework/4.0.1
vendor/vmware
canonical/vmware spring framework
version/vmware spring framework/3.2.7
version/vmware spring framework/3.0.6
version/vmware spring framework/3.0.7
version/vmware spring framework/3.1.0
version/vmware spring framework/3.1.1
version/vmware spring framework/3.1.2
version/vmware spring framework/3.1.3
version/vmware spring framework/3.1.4
version/vmware spring framework/3.2.0
version/vmware spring framework/3.2.1
version/vmware spring framework/3.2.2
version/vmware spring framework/3.2.3
version/vmware spring framework/3.2.4
version/vmware spring framework/4.0.0-milestone1
version/vmware spring framework/4.0.0-milestone2
package-manager/maven
vendor/ibm
canonical/ibm security directory suite va
version/ibm security directory suite va/8.0.1-8.0.1.19