Cross-site Request Forgery (CSRF) Affecting org.springframework:spring-web package, versions [3.0.0.RELEASE,3.2.8.RELEASE) [4.0.0.RELEASE,4.0.2.RELEASE)
Snyk CVSS
Attack Complexity
Low
User Interaction
Required
Threat Intelligence
EPSS
39.6% (98th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGSPRINGFRAMEWORK-31331
- published 6 Jun 2014
- disclosed 17 Apr 2014
- credit Spase Markovski
Introduced: 17 Apr 2014
CVE-2014-0054 Open this link in a new tabOverview
org.springframework:spring-web
Affected versions of this package do not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue.
NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.