CVE-2014-5325

The (1) DOMConverter, (2) JDOMConverter, (3) DOM4JConverter, and (4) XOMConverter functions in Direct Web Remoting (DWR) through 2.0.10 and 3.x through 3.0.RC2 allow remote attackers to read arbitrary files via DOM data containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Published: Nov 24, 2014
Updated: May 9, 2024
CVE: CVE-2014-5325
GHSA: GHSA-hqw5-62gp-rqgm
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

CWEs:

CWE-200

Affected Software
References

Software	From	Fixed in
directwebremoting / direct_web_remoting	3.0-rc1	3.0-rc1.x
directwebremoting / direct_web_remoting	-	2.0.10.x
directwebremoting / direct_web_remoting	3.0-rc2	3.0-rc2.x
org.directwebremoting / dwr	-	2.0.11
org.directwebremoting / dwr	3.0.M1	3.0.RC3

http://jvn.jp/en/jp/JVN91502163/index.html
http://jvndb.jvn.jp/jvndb/JVNDB-2014-000117
http://www.securityfocus.com/bid/71093

Vulnerability Database

290,301

CVE-2014-5325