CVE-2014-0225

HIGH

Spring Framework 3.0.0-3.2.8 and 4.0.0-4.0.4 - XML External Entity Injection

Title source: llm

Description

When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.

References (1)

Core 1

Core References

Vendor Advisory x_refsource_confirm

https://pivotal.io/security/cve-2014-0225

Scores

CVSS v3 8.8

EPSS 0.0024

EPSS Percentile 46.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-611

Status published

Products (34)

org.springframework/spring-webmvc 4.0.0 - 4.0.5Maven

Pivotal/Spring Framework 3.0.0 to 3.2.8

Pivotal/Spring Framework 4.0.0 to 4.0.4

Pivotal/Spring Framework Earlier unsupported versions may be affected

pivotal_software/spring_framework 3.0.0

pivotal_software/spring_framework 3.1.0

pivotal_software/spring_framework 3.2.0

pivotal_software/spring_framework 4.0.0

vmware/spring_framework 3.0.1

vmware/spring_framework 3.0.2

... and 24 more

Published May 25, 2017

Tracked Since Feb 18, 2026