Vulnerability Name:

CVE-2014-0054 (CCN-91841)

Assigned:2013-12-03
Published:2014-02-18
Updated:2022-04-11
Summary:The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue.
Note: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.0 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-352
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2014-0054

Source: REDHAT
Type: UNKNOWN
RHSA-2014:0400

Source: CCN
Type: SA57391
Spring Framework Jaxb2RootElementHttpMessageConverter XML Entity References Information Disclosure Vulnerability

Source: SECUNIA
Type: Vendor Advisory
57915

Source: CCN
Type: Pivotal Web Site
CVE-2014-0054 Incomplete fix for CVE-2013-4152 / CVE-2013-6429 (XXE)

Source: CCN
Type: IBM Security Bulletin 1989676 (WebSphere Portal)
Security Vulnerabilities in Spring Framework affect IBM WebSphere Portal

Source: CCN
Type: IBM Security Bulletin 1992651 (Tivoli Netcool Configuration Manager)
Vulnerabilities in OpenSource Spring Source/Pivotal Spring Framework affect IBM Tivoli Netcool Configuration Manager (ITNCM) (CVE-2013-7315, CVE-2013-4152, CVE-2014-0054)

Source: CCN
Type: IBM Security Bulletin 1997874 (Security Guardium)
OpenSource Spring Source/Pivotal Spring Framework Vulnerabilities affect IBM Security Guardium (CVE-2013-7315, CVE-2013-4152, CVE-2014-0054)

Source: CCN
Type: IBM Security Bulletin 1999040 (Tivoli Application Dependency Discovery Manager)
Pivotal Spring Framework vulnerabilities affect IBM Tivoli Application Dependency Discovery Manager (TADDM)

Source: CCN
Type: IBM Security Bulletin 1999395 (Security QRadar SIEM)
Pivotal Spring Framework as used in IBM QRadar SIEM is vulnerable to various CVE's

Source: CCN
Type: IBM Security Bulletin 2013753 (Security Guardium Big Data Intelligence)
IBM Security Guardium Big Data Intelligence (SonarG) is vulnerable to using Components with Known Vulnerabilities

Source: CONFIRM
Type: UNKNOWN
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

Source: BID
Type: UNKNOWN
66148

Source: CCN
Type: BID-66148
Spring Framework CVE-2014-0054 Multiple XML External Entity Injection Vulnerabilities

Source: XF
Type: UNKNOWN
spring-framework-cve20140054-info-disc(91841)

Source: CCN
Type: Spring Framework Security Advisory SPR-11376
Jaxb2RootElementHttpMessageConverter is susceptible to XXE vulnerability

Source: CONFIRM
Type: Vendor Advisory
https://jira.spring.io/browse/SPR-11376

Source: CCN
Type: IBM Security Bulletin 0872142 (Security Identity Governance and Intelligence)
IBM has announced a release for IBM Security Identity Governance and Intelligence in response to multiple security vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6396112 (Sterling B2B Integrator)
Multiple Security Vulnerabilities in Spring Framework Affect IBM Sterling B2B Integrator

Source: CCN
Type: IBM Security Bulletin 6857863 (MobileFirst Platform Foundation)
Multiple vulnerabilities found on thirdparty libraries used by IBM MobileFirst Platform

Source: CCN
Type: IBM Security Bulletin 6955033 (Security Directory Integrator)
IBM Security Directory Integrator is affected by multiple security vulnerabilities

Source: CCN
Type: IBM Security Bulletin 7001693 (Security Directory Suite VA)
IBM Security Directory Suite is vulnerable to multiple issues

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2014-0054

Vulnerable Configuration:Configuration 1:
  • cpe:/a:springsource:spring_framework:3.2.6:*:*:*:*:*:*:*
  • OR cpe:/a:springsource:spring_framework:3.2.5:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:3.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:3.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:springsource:spring_framework:3.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:4.0.0:milestone2:*:*:*:*:*:*
  • OR cpe:/a:springsource:spring_framework:4.0.0:rc1:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:3.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:3.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:3.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:springsource:spring_framework:3.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:springsource:spring_framework:3.0.0:rc3:*:*:*:*:*:*
  • OR cpe:/a:springsource:spring_framework:3.0.0:rc2:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:4.0.0:milestone1:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:3.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:3.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:3.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:3.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:springsource:spring_framework:3.0.0.m2:*:*:*:*:*:*:*
  • OR cpe:/a:springsource:spring_framework:3.0.0.m1:*:*:*:*:*:*:*
  • OR cpe:/a:springsource:spring_framework:3.0.0:m1:*:*:*:*:*:*
  • OR cpe:/a:springsource:spring_framework:3.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:springsource:spring_framework:4.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:*:*:*:*:*:*:*:* (Version <= 3.2.7)
  • OR cpe:/a:vmware:spring_framework:3.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:3.1.4:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:3.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:springsource:spring_framework:3.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:springsource:spring_framework:3.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:springsource:spring_framework:3.0.0:rc1:*:*:*:*:*:*
  • OR cpe:/a:springsource:spring_framework:3.0.0:m4:*:*:*:*:*:*
  • OR cpe:/a:springsource:spring_framework:3.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:springsource:spring_framework:3.0.0:m3:*:*:*:*:*:*
  • OR cpe:/a:springsource:spring_framework:3.0.0:m2:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:ibm:websphere_portal:8.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_portal:8.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_application_dependency_discovery_manager:7.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_netcool_configuration_manager:6.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium:9.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium:9.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium:9.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_netcool_configuration_manager:6.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium_big_data_intelligence:3.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:mobilefirst_platform_foundation:8.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:6.0.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:6.0.3.2:*:*:*:standard:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:24431
    P
    		DSA-2890-1 libspring-java - security update
    2014-06-23
    oval:com.ubuntu.precise:def:20140054000
    V
    		CVE-2014-0054 on Ubuntu 12.04 LTS (precise) - medium.
    2014-04-17
    oval:com.ubuntu.xenial:def:201400540000000
    V
    		CVE-2014-0054 on Ubuntu 16.04 LTS (xenial) - medium.
    2014-04-17
    oval:com.ubuntu.trusty:def:20140054000
    V
    		CVE-2014-0054 on Ubuntu 14.04 LTS (trusty) - medium.
    2014-04-17
    oval:com.ubuntu.xenial:def:20140054000
    V
    		CVE-2014-0054 on Ubuntu 16.04 LTS (xenial) - medium.
    2014-04-17
    BACK
    springsource spring framework 3.2.6
    springsource spring framework 3.2.5
    vmware spring framework 3.1.2
    vmware spring framework 3.1.1
    springsource spring framework 3.0.2
    vmware spring framework 4.0.0 milestone2
    springsource spring framework 4.0.0 rc1
    vmware spring framework 3.2.2
    vmware spring framework 3.2.1
    vmware spring framework 3.0.6
    springsource spring framework 3.0.5
    springsource spring framework 3.0.0 rc3
    springsource spring framework 3.0.0 rc2
    vmware spring framework 4.0.0 milestone1
    vmware spring framework 3.2.4
    vmware spring framework 3.2.3
    vmware spring framework 3.1.0
    vmware spring framework 3.0.7
    springsource spring framework 3.0.0.m2
    springsource spring framework 3.0.0.m1
    springsource spring framework 3.0.0 m1
    springsource spring framework 3.0.0
    springsource spring framework 4.0.1
    vmware spring framework *
    vmware spring framework 3.2.0
    vmware spring framework 3.1.4
    vmware spring framework 3.1.3
    springsource spring framework 3.0.4
    springsource spring framework 3.0.3
    springsource spring framework 3.0.0 rc1
    springsource spring framework 3.0.0 m4
    springsource spring framework 3.0.1
    springsource spring framework 3.0.0 m3
    springsource spring framework 3.0.0 m2
    ibm websphere portal 8.0
    ibm qradar security information and event manager 7.2
    ibm websphere portal 8.5
    ibm tivoli application dependency discovery manager 7.2.2
    ibm tivoli netcool configuration manager 6.4.1
    ibm security guardium 9.0
    ibm security guardium 9.1
    ibm security guardium 9.5
    ibm security identity governance and intelligence 5.2
    ibm security identity governance and intelligence 5.2.1
    ibm tivoli netcool configuration manager 6.4.2
    ibm security guardium big data intelligence 3.1
    ibm security identity governance and intelligence 5.2.2
    ibm security identity governance and intelligence 5.2.2.1
    ibm security identity governance and intelligence 5.2.3
    ibm security identity governance and intelligence 5.2.3.1
    ibm security identity governance and intelligence 5.2.3.2
    ibm security identity governance and intelligence 5.2.4
    ibm security identity governance and intelligence 5.2.4.1
    ibm mobilefirst platform foundation 8.0.0
    ibm sterling b2b integrator 6.0.1.0
    ibm sterling b2b integrator 6.0.3.2