Vulnerability DatabaseCVE-2015-3192
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2015-3192
July 12, 2016
Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.
Affected Packages
org.springframework:spring-web (JAVA):
Affected version(s) =5.0.0.RC2 <5.0.0.RC3
Fix Suggestion:
Update to version 5.0.0.RC3
Related Resources (26)
https://github.com/spring-projects/spring-framework/issues/17727
https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html
http://pivotal.io/security/cve-2015-3192
http://www.securityfocus.com/bid/90853
https://github.com/spring-projects/spring-framework/commit/0411435bac835de88a80a64b3f67b1b89244e907
http://rhn.redhat.com/errata/RHSA-2016-2035.html
https://access.redhat.com/errata/RHSA-2016:1219
https://github.com/spring-projects/spring-framework/commit/5a711c05ec750f069235597173084c2ee7962424
https://github.com/spring-projects/spring-framework/commit/38b8262e1e2db9be9d2171d81547da5c65ba7e09
http://www.securitytracker.com/id/1036587
https://github.com/spring-projects/spring-framework/issues/20352
http://rhn.redhat.com/errata/RHSA-2016-1592.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162015.html
https://jira.spring.io/browse/SPR-13136
http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162017.html
https://github.com/spring-projects/spring-framework/commit/9c3580d04e84d25a90ef4c249baee1b4e02df15e
http://rhn.redhat.com/errata/RHSA-2016-2036.html
https://access.redhat.com/errata/RHSA-2016:1218
http://rhn.redhat.com/errata/RHSA-2016-1593.html
https://github.com/spring-projects/spring-framework
https://nvd.nist.gov/vuln/detail/CVE-2015-3192
https://github.com/advisories/GHSA-6v7w-535j-rq5m
https://github.com/spring-projects/spring-framework/commit/e4651d6b50c5bc85c84ff537859c212ac4e33434
https://jira.spring.io/browse/SPR-13136?redirect=false
https://github.com/spring-projects/spring-framework/commit/d79ec68db40c381b8e205af52748ebd3163ee33b
https://spring.io/security/cve-2015-3192
Do you need more information?
Contact Us
CVSS v4
Base Score:
6.8
Attack Vector
LOCAL
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.5
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
HIGH
CVSS v2
Base Score:
4.3
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
Weakness Type (CWE)
Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-119
EPSS
Base Score:
1.08