CVE-2015-3192 Medium Severity Vulnerability detected by WhiteSource #11
Description
CVE-2015-3192 - Medium Severity Vulnerability
Vulnerable Library - spring-oxm-4.0.0.RELEASE.jar
path: 2/repository/org/springframework/spring-oxm/4.0.0.RELEASE/spring-oxm-4.0.0.RELEASE.jar
Library home page: https://github.com/SpringSource/spring-framework
Dependency Hierarchy:
- ❌ spring-oxm-4.0.0.RELEASE.jar (Vulnerable Library)
Found in commit: f396e60bf74726f66a202d308a1f2865177e4bee
Vulnerability Details
Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.
Publish Date: 2016-07-12
URL: CVE-2015-3192
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: http://pivotal.io/security/cve-2015-3192
Release Date: 2017-12-31
Fix Resolution: Users of affected Spring Framework versions should upgrade as follows: For 3.2.x upgrade to For 4.0.x and 4.1.x upgrade to In addition, applications that consume XML input via StAX from external sources should also use and/or upgrade to a recent version of the Woodstox library, e.g. version 4.2+ (4.2.1 is the currently curated version in the ).
Step up your Open Source Security Game with WhiteSource here