DescriptionWhen processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)
Debian Bugs753470

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libspring-java (PTS)jessie3.0.6.RELEASE-17fixed
buster, sid4.3.21-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


[squeeze] - libspring-java <no-dsa> (Minor issue)
[wheezy] - libspring-java <no-dsa> (Minor issue)

Search for package or bug name: Reporting problems