CVE-2015-3192

Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.

Published: Jul 12, 2016
Updated: May 9, 2024
CVE: CVE-2015-3192
GHSA: GHSA-6v7w-535j-rq5m
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.5
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:N/A:P

CWEs:

CWE-119

Affected Software
References

Software	From	Fixed in
pivotal_software / spring_framework	3.2.0	3.2.0.x
vmware / spring_framework	3.2.2	3.2.2.x
vmware / spring_framework	3.2.1	3.2.1.x
vmware / spring_framework	3.2.8	3.2.8.x
vmware / spring_framework	3.2.7	3.2.7.x
vmware / spring_framework	3.2.10	3.2.10.x
vmware / spring_framework	3.2.9	3.2.9.x
vmware / spring_framework	3.2.4	3.2.4.x
vmware / spring_framework	3.2.3	3.2.3.x
vmware / spring_framework	3.2.6	3.2.6.x
vmware / spring_framework	3.2.5	3.2.5.x
vmware / spring_framework	3.2.12	3.2.12.x
vmware / spring_framework	3.2.11	3.2.11.x
vmware / spring_framework	3.2.13	3.2.13.x
fedoraproject / fedora	22	22.x
fedoraproject / fedora	21	21.x
pivotal_software / spring_framework	4.1.0	4.1.0.x
vmware / spring_framework	4.1.6	4.1.6.x
vmware / spring_framework	4.1.5	4.1.5.x
vmware / spring_framework	4.1.1	4.1.1.x
vmware / spring_framework	4.1.2	4.1.2.x
vmware / spring_framework	4.1.3	4.1.3.x
vmware / spring_framework	4.1.4	4.1.4.x
org.springframework / spring-core	-	3.2.14
org.springframework / spring-core	4.0.0	4.1.7

Vulnerability Database

289,689

CVE-2015-3192