CVE-2015-3192 - Medium Severity Vulnerability
Vulnerable Library - spring-oxm-4.0.0.RELEASE.jar
path: 2/repository/org/springframework/spring-oxm/4.0.0.RELEASE/spring-oxm-4.0.0.RELEASE.jar
Library home page: https://github.com/SpringSource/spring-framework
Dependency Hierarchy:
- ❌ spring-oxm-4.0.0.RELEASE.jar (Vulnerable Library)
Found in commit: f396e60bf74726f66a202d308a1f2865177e4bee
Vulnerability Details
Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.
Publish Date: 2016-07-12
URL: CVE-2015-3192
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: http://pivotal.io/security/cve-2015-3192
Release Date: 2017-12-31
Fix Resolution: Users of affected Spring Framework versions should upgrade as follows:
For 3.2.x upgrade to
For 4.0.x and 4.1.x upgrade to
In addition, applications that consume XML input via StAX from external sources should also use and/or upgrade to a recent version of the Woodstox library, e.g. version 4.2+ (4.2.1 is the currently curated version in the ).
Step up your Open Source Security Game with WhiteSource here
CVE-2015-3192 - Medium Severity Vulnerability
path: 2/repository/org/springframework/spring-oxm/4.0.0.RELEASE/spring-oxm-4.0.0.RELEASE.jar
Library home page: https://github.com/SpringSource/spring-framework
Dependency Hierarchy:
Found in commit: f396e60bf74726f66a202d308a1f2865177e4bee
Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.
Publish Date: 2016-07-12
URL: CVE-2015-3192
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: http://pivotal.io/security/cve-2015-3192
Release Date: 2017-12-31
Fix Resolution: Users of affected Spring Framework versions should upgrade as follows: For 3.2.x upgrade to For 4.0.x and 4.1.x upgrade to In addition, applications that consume XML input via StAX from external sources should also use and/or upgrade to a recent version of the Woodstox library, e.g. version 4.2+ (4.2.1 is the currently curated version in the ).
Step up your Open Source Security Game with WhiteSource here