CVE-2014-3630
CRITICALPlay Framework < 2.2.6 and 2.3.x < 2.3.5 - XML External Entity Injection
Title source: llmDescription
XML external entity (XXE) vulnerability in the Java XML processing functionality in Play before 2.2.6 and 2.3.x before 2.3.5 might allow remote attackers to read arbitrary files, cause a denial of service, or have unspecified other impact via crafted XML data.
References (4)
Core 4
Core References
Issue Tracking, Third Party Advisory x_refsource_misc
https://infocon.org/cons/SyScan/SyScan%202015%20Singapore/SyScan%202015%20Singapore%20presentations/SyScan15%20David%20Jorm%20-%20Finding%20and%20exploiting%20novel%20flaws%20in%20Java%20software.pdf
Issue Tracking, Mitigation, Vendor Advisory x_refsource_confirm
https://playframework.com/security/vulnerability/CVE-2014-3630-XmlExternalEntity
Mailing List x_refsource_confirm
https://groups.google.com/forum/#%21msg/play-framework/7uNX_ImTW08/AogWSjsTAyQJ
Mailing List x_refsource_confirm
https://groups.google.com/forum/#%21topic/play-framework/WdbFvemsFDQ
Scores
CVSS v3
9.8
EPSS
0.0285
EPSS Percentile
84.9%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-611
Status
published
Products (14)
lightbend/play_framework
2.2.0 (4 CPE variants)
lightbend/play_framework
2.2.1
lightbend/play_framework
2.2.2
lightbend/play_framework
2.3.0 (3 CPE variants)
lightbend/play_framework
2.3.1
lightbend/play_framework
2.3.2 (3 CPE variants)
lightbend/play_framework
2.3.3
lightbend/play_framework
2.3.4
playframework/play_framework
2.2.0 rc1
playframework/play_framework
2.2.1 rc1
... and 4 more
Published
Dec 29, 2017
Tracked Since
Feb 18, 2026