CVE-2015-3192

MEDIUM

Pivotal Spring Framework <3.2.14 & 4.x <4.1.7 - DoS

Title source: llm
STIX 2.1

Description

Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.

References (13)

Core 13
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-2035.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1036587
Vendor Advisory x_refsource_confirm
http://pivotal.io/security/cve-2015-3192
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-2036.html
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2016:1218
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/90853
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-1592.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162015.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162017.html
Various Sources x_refsource_confirm
https://jira.spring.io/browse/SPR-13136
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-1593.html
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2016:1219
Mailing List mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html

Scores

CVSS v3 5.5
EPSS 0.0138
EPSS Percentile 80.5%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Details

CWE
CWE-119
Status published
Products (24)
fedoraproject/fedora 21
fedoraproject/fedora 22
org.springframework/spring-web 0 - 3.2.14Maven
pivotal_software/spring_framework 3.2.0
pivotal_software/spring_framework 4.1.0
vmware/spring_framework 3.2.1
vmware/spring_framework 3.2.2
vmware/spring_framework 3.2.3
vmware/spring_framework 3.2.4
vmware/spring_framework 3.2.5
... and 14 more
Published Jul 12, 2016
Tracked Since Feb 18, 2026