CVE-2014-5325

2014-11-2402:59:01

CWE-200

[email protected]

web.nvd.nist.gov

cve

2014

5325

dwr

xxe

vulnerability

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

6.8 Medium

AI Score

Confidence

Low

0.003 Low

EPSS

Percentile

71.1%

JSON

The (1) DOMConverter, (2) JDOMConverter, (3) DOM4JConverter, and (4) XOMConverter functions in Direct Web Remoting (DWR) through 2.0.10 and 3.x through 3.0.RC2 allow remote attackers to read arbitrary files via DOM data containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Affected configurations

NVD

Node

directwebremotingdirect_web_remotingRange≤2.0.10

directwebremotingdirect_web_remotingMatch3.0rc1

directwebremotingdirect_web_remotingMatch3.0rc2

CPENameOperatorVersion
directwebremoting:direct_web_remotingdirectwebremoting direct web remotingle2.0.10
directwebremoting:direct_web_remotingdirectwebremoting direct web remotingeq3.0

CPE	Name	Operator	Version
directwebremoting:direct_web_remoting	directwebremoting direct web remoting	le	2.0.10
directwebremoting:direct_web_remoting	directwebremoting direct web remoting	eq	3.0