Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.
CPE | Name | Operator | Version |
---|---|---|---|
org.springframework:spring-web | eq | 5.0.0.RC2 | |
org.springframework:spring-web | lt | 4.1.7 | |
org.springframework:spring-web | lt | 3.2.14 |
lists.fedoraproject.org/pipermail/package-announce/2015-July/162015.html
lists.fedoraproject.org/pipermail/package-announce/2015-July/162017.html
rhn.redhat.com/errata/RHSA-2016-1592.html
rhn.redhat.com/errata/RHSA-2016-1593.html
rhn.redhat.com/errata/RHSA-2016-2035.html
rhn.redhat.com/errata/RHSA-2016-2036.html
www.securityfocus.com/bid/90853
www.securitytracker.com/id/1036587
access.redhat.com/errata/RHSA-2016:1218
access.redhat.com/errata/RHSA-2016:1219
github.com/advisories/GHSA-6v7w-535j-rq5m
github.com/spring-projects/spring-framework/commit/0411435bac835de88a80a64b3f67b1b89244e907
github.com/spring-projects/spring-framework/commit/38b8262e1e2db9be9d2171d81547da5c65ba7e09
github.com/spring-projects/spring-framework/commit/5a711c05ec750f069235597173084c2ee7962424
github.com/spring-projects/spring-framework/commit/9c3580d04e84d25a90ef4c249baee1b4e02df15e
github.com/spring-projects/spring-framework/commit/d79ec68db40c381b8e205af52748ebd3163ee33b
github.com/spring-projects/spring-framework/commit/e4651d6b50c5bc85c84ff537859c212ac4e33434
github.com/spring-projects/spring-framework/issues/17727
github.com/spring-projects/spring-framework/issues/20352
jira.spring.io/browse/SPR-13136
jira.spring.io/browse/SPR-13136?redirect=false
lists.debian.org/debian-lts-announce/2019/07/msg00012.html
nvd.nist.gov/vuln/detail/CVE-2015-3192
spring.io/security/cve-2015-3192