CVE-2014-1904: XSS
First published: Wed Mar 12 2014(Updated: )
A cross-site scripting flaw was found in the Spring Framework when using Spring MVC. From the original advisory: "When a programmer does not specify the action on the Spring form, Spring automatically populates the action field with the requested uri. An attacker can use this to inject malicious content into the form." This issue affects versions 3.0.0 to 3.2.7*, and versions 4.0.0 to 4.0.1. (the fix is present in version 3.2.8; this was incorrect in the gopivotal flaw - chazlett) External References: <a href="http://www.gopivotal.com/security/cve-2014-1904">http://www.gopivotal.com/security/cve-2014-1904</a>
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/spring mvc | <3.2.8 | 3.2.8 |
| redhat/spring mvc | <4.0.2 | 4.0.2 |
| maven/org.springframework:spring-webmvc | >=4.0.0<=4.0.1.RELEASE | 4.0.2.RELEASE |
| maven/org.springframework:spring-webmvc | >=3.0.0<=3.2.7.RELEASE | 3.2.8.RELEASE |
| VMware Spring Framework | >=3.0.0<3.2.8 | |
| VMware Spring Framework | >=4.0.0<4.0.2 | |
| >=3.0.0<3.2.8 | ||
| >=4.0.0<4.0.2 |
Remedy
https://github.com/spring-projects/spring-framework/commit/741b4b229ae032bd17175b46f98673ce0bd2d485
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.gopivotal.com/security/cve-2014-1904
- https://access.redhat.com/site/support/policy/updates/openshift
- https://access.redhat.com/support/policy/updates/fusesource/
- https://rhn.redhat.com/errata/RHSA-2014-0401.html
- https://rhn.redhat.com/errata/RHSA-2014-0400.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1075296
- http://docs.spring.io/spring/docs/3.2.8.RELEASE/changelog.txt
- http://rhn.redhat.com/errata/RHSA-2014-0400.html
- http://seclists.org/fulldisclosure/2014/Mar/101
- http://secunia.com/advisories/57915
- http://www.securityfocus.com/archive/1/531422/100/0/threaded
- http://www.securityfocus.com/bid/66137
- https://github.com/spring-projects/spring-framework/commit/741b4b229ae032bd17175b46f98673ce0bd2d485
- https://jira.springsource.org/browse/SPR-11426
- https://nvd.nist.gov/vuln/detail/CVE-2014-1904
- https://github.com/spring-projects/spring-framework/commit/75e08695a04980dbceae6789364717e9d8764d58#diff-5c29d6685335045274d9908c5cd45e45
- https://github.com/advisories/GHSA-ff7p-jqjm-v66h (Advisory)
Frequently Asked Questions
What is the severity of CVE-2014-1904?
CVE-2014-1904 is classified as a medium severity vulnerability due to its potential to allow cross-site scripting attacks.
How do I fix CVE-2014-1904?
To fix CVE-2014-1904, upgrade Spring MVC to version 3.2.8 or 4.0.2.
What systems are affected by CVE-2014-1904?
CVE-2014-1904 affects versions of Spring MVC before version 3.2.8 and 4.0.2.
What type of vulnerability is CVE-2014-1904?
CVE-2014-1904 is a cross-site scripting vulnerability.
Can CVE-2014-1904 be exploited remotely?
Yes, CVE-2014-1904 can be exploited remotely by attackers through crafted URIs.
- collector/redhat-bugzilla
- alias/CVE-2014-1904
- agent/type
- agent/remedy
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-ff7p-jqjm-v66h
- agent/software-canonical-lookup
- agent/weakness
- agent/severity
- agent/references
- agent/description
- agent/author
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- agent/tags
- agent/softwarecombine
- collector/nvd-api
- package-manager/redhat
- package-manager/maven
- vendor/pivotal software
- canonical/vmware spring framework
- version/vmware spring framework/3.0.0
- version/vmware spring framework/4.0.0