CVE-2014-1904: XSS
First published: Wed Mar 12 2014(Updated: )
A cross-site scripting flaw was found in the Spring Framework when using Spring MVC. From the original advisory: "When a programmer does not specify the action on the Spring form, Spring automatically populates the action field with the requested uri. An attacker can use this to inject malicious content into the form." This issue affects versions 3.0.0 to 3.2.7*, and versions 4.0.0 to 4.0.1. (the fix is present in version 3.2.8; this was incorrect in the gopivotal flaw - chazlett) External References: <a href="http://www.gopivotal.com/security/cve-2014-1904">http://www.gopivotal.com/security/cve-2014-1904</a>
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/spring mvc | <3.2.8 | 3.2.8 |
| redhat/spring mvc | <4.0.2 | 4.0.2 |
| Pivotal Software Spring Framework | >=3.0.0<3.2.8 | |
| Pivotal Software Spring Framework | >=4.0.0<4.0.2 | |
| maven/org.springframework:spring-webmvc | >=4.0.0<=4.0.1.RELEASE | 4.0.2.RELEASE |
| maven/org.springframework:spring-webmvc | >=3.0.0<=3.2.7.RELEASE | 3.2.8.RELEASE |
Remedy
https://github.com/spring-projects/spring-framework/commit/741b4b229ae032bd17175b46f98673ce0bd2d485
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.gopivotal.com/security/cve-2014-1904
- https://access.redhat.com/site/support/policy/updates/openshift
- https://access.redhat.com/support/policy/updates/fusesource/
- https://rhn.redhat.com/errata/RHSA-2014-0401.html
- https://rhn.redhat.com/errata/RHSA-2014-0400.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1075296
- http://docs.spring.io/spring/docs/3.2.8.RELEASE/changelog.txt
- http://rhn.redhat.com/errata/RHSA-2014-0400.html
- http://seclists.org/fulldisclosure/2014/Mar/101
- http://secunia.com/advisories/57915
- http://www.securityfocus.com/archive/1/531422/100/0/threaded
- http://www.securityfocus.com/bid/66137
- https://github.com/spring-projects/spring-framework/commit/741b4b229ae032bd17175b46f98673ce0bd2d485
- https://jira.springsource.org/browse/SPR-11426
- https://nvd.nist.gov/vuln/detail/CVE-2014-1904
- https://github.com/spring-projects/spring-framework/commit/75e08695a04980dbceae6789364717e9d8764d58#diff-5c29d6685335045274d9908c5cd45e45
- https://github.com/advisories/GHSA-ff7p-jqjm-v66h (Advisory)
- collector/redhat-bugzilla
- alias/CVE-2014-1904
- collector/nvd-index
- agent/type
- agent/remedy
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-ff7p-jqjm-v66h
- agent/software-canonical-lookup
- agent/weakness
- agent/last-modified-date
- agent/severity
- agent/references
- agent/softwarecombine
- agent/description
- agent/event
- collector/nvd-cve
- source/NVD
- agent/author
- collector/github-advisory
- agent/tags
- collector/mitre-cve
- source/MITRE
- package-manager/redhat
- vendor/pivotal software
- canonical/pivotal software spring framework
- version/pivotal software spring framework/3.0.0
- version/pivotal software spring framework/4.0.0
- package-manager/maven