CVE-2015-3192

NameCVE-2015-3192
DescriptionPivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1853-1
NVD severitymedium
Debian Bugs796137

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libspring-java (PTS)stretch4.3.5-1fixed
bullseye, sid, buster4.3.22-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libspring-javasource(unstable)4.1.9-1low796137
libspring-javasourcejessie3.0.6.RELEASE-17+deb8u1DLA-1853-1

Notes

[wheezy] - libspring-java <no-dsa> (Minor issue)
https://pivotal.io/security/cve-2015-3192
https://jira.spring.io/browse/SPR-13136

Search for package or bug name: Reporting problems