CVE-2014-5325

The (1) DOMConverter, (2) JDOMConverter, (3) DOM4JConverter, and (4) XOMConverter functions in Direct Web Remoting (DWR) through 2.0.10 and 3.x through 3.0.RC2 allow remote attackers to read arbitrary files via DOM data containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

CVSS v2.0 5.0 MEDIUM

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://jvn.jp/en/jp/JVN91502163/index.html
http://jvndb.jvn.jp/jvndb/JVNDB-2014-000117
http://www.securityfocus.com/bid/71093

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:directwebremoting:direct_web_remoting::::::::
	cpe:2.3:a:directwebremoting:direct_web_remoting:3.0:rc1::::::
	cpe:2.3:a:directwebremoting:direct_web_remoting:3.0:rc2::::::

History

No history.

Information

Published : 2014-11-24 02:59

Updated : 2024-02-04 18:35

NVD link : CVE-2014-5325

Mitre link : CVE-2014-5325

CVE.ORG link : CVE-2014-5325

JSON object : View

Products Affected

directwebremoting

direct_web_remoting

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2014-5325", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2014-11-24T02:59:01.897", "references": [{"url": "http://jvn.jp/en/jp/JVN91502163/index.html", "source": "vultures@jpcert.or.jp"}, {"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000117", "source": "vultures@jpcert.or.jp"}, {"url": "http://www.securityfocus.com/bid/71093", "source": "vultures@jpcert.or.jp"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "The (1) DOMConverter, (2) JDOMConverter, (3) DOM4JConverter, and (4) XOMConverter functions in Direct Web Remoting (DWR) through 2.0.10 and 3.x through 3.0.RC2 allow remote attackers to read arbitrary files via DOM data containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue."}, {"lang": "es", "value": "La funciones (1) DOMConverter, (2) JDOMConverter, (3) DOM4JConverter, y (4) XOMConverter en Direct Web Remoting (DWR) hasta 2.0.10 y 3.x hasta 3.0.RC2 permiten a atacantes remotos leer ficheros arbitrarios a trav\u00e9s de datos DOM que contienen una declaraci\u00f3n de entidad externa XML en conjunto con una referencia de entidad, relacionado con un problema de entidad externa XML (XXE)."}], "lastModified": "2016-11-28T19:12:36.387", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:directwebremoting:direct_web_remoting:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "86A40D75-2A67-485B-8F03-03D7B8B3300C", "versionEndIncluding": "2.0.10"}, {"criteria": "cpe:2.3:a:directwebremoting:direct_web_remoting:3.0:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "15EC6841-1ACB-4CA9-B636-73FD4848B6A4"}, {"criteria": "cpe:2.3:a:directwebremoting:direct_web_remoting:3.0:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B95F48BD-B339-4587-B3E2-99D715173F3F"}], "operator": "OR"}]}], "sourceIdentifier": "vultures@jpcert.or.jp"}