Описание
Pivotal Spring Framework DoS Attack with XML Input
Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2015-3192
- https://github.com/spring-projects/spring-framework/issues/17727
- https://github.com/spring-projects/spring-framework/issues/20352
- https://github.com/spring-projects/spring-framework/commit/0411435bac835de88a80a64b3f67b1b89244e907
- https://github.com/spring-projects/spring-framework/commit/38b8262e1e2db9be9d2171d81547da5c65ba7e09
- https://github.com/spring-projects/spring-framework/commit/5a711c05ec750f069235597173084c2ee7962424
- https://github.com/spring-projects/spring-framework/commit/9c3580d04e84d25a90ef4c249baee1b4e02df15e
- https://github.com/spring-projects/spring-framework/commit/d79ec68db40c381b8e205af52748ebd3163ee33b
- https://github.com/spring-projects/spring-framework/commit/e4651d6b50c5bc85c84ff537859c212ac4e33434
- https://spring.io/security/cve-2015-3192
- https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html
- https://jira.spring.io/browse/SPR-13136?redirect=false
- https://jira.spring.io/browse/SPR-13136
- https://github.com/advisories/GHSA-6v7w-535j-rq5m
- https://access.redhat.com/errata/RHSA-2016:1219
- https://access.redhat.com/errata/RHSA-2016:1218
- http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162015.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162017.html
- http://rhn.redhat.com/errata/RHSA-2016-1592.html
- http://rhn.redhat.com/errata/RHSA-2016-1593.html
- http://rhn.redhat.com/errata/RHSA-2016-2035.html
- http://rhn.redhat.com/errata/RHSA-2016-2036.html
- http://www.securityfocus.com/bid/90853
- http://www.securitytracker.com/id/1036587
Пакеты
org.springframework:spring-web
< 3.2.14
3.2.14
org.springframework:spring-web
>= 4.0.0, < 4.1.7
4.1.7
org.springframework:spring-web
= 5.0.0.RC2
5.0.0.RC3
Связанные уязвимости
Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.
Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.
Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.
Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not pro ...