CVE-2015-3192
Severity CVSS v4.0:
Pending analysis
Type:
CWE-119
Buffer Errors
Publication date:
12/07/2016
Last modified:
12/04/2025
Description
Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Base Score 2.0
4.30
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:pivotal_software:spring_framework:3.2.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:vmware:spring_framework:3.2.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:vmware:spring_framework:3.2.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:vmware:spring_framework:3.2.3:*:*:*:*:*:*:* | ||
| cpe:2.3:a:vmware:spring_framework:3.2.4:*:*:*:*:*:*:* | ||
| cpe:2.3:a:vmware:spring_framework:3.2.5:*:*:*:*:*:*:* | ||
| cpe:2.3:a:vmware:spring_framework:3.2.6:*:*:*:*:*:*:* | ||
| cpe:2.3:a:vmware:spring_framework:3.2.7:*:*:*:*:*:*:* | ||
| cpe:2.3:a:vmware:spring_framework:3.2.8:*:*:*:*:*:*:* | ||
| cpe:2.3:a:vmware:spring_framework:3.2.9:*:*:*:*:*:*:* | ||
| cpe:2.3:a:vmware:spring_framework:3.2.10:*:*:*:*:*:*:* | ||
| cpe:2.3:a:vmware:spring_framework:3.2.11:*:*:*:*:*:*:* | ||
| cpe:2.3:a:vmware:spring_framework:3.2.12:*:*:*:*:*:*:* | ||
| cpe:2.3:a:vmware:spring_framework:3.2.13:*:*:*:*:*:*:* | ||
| cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162015.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162017.html
- http://pivotal.io/security/cve-2015-3192
- http://rhn.redhat.com/errata/RHSA-2016-1592.html
- http://rhn.redhat.com/errata/RHSA-2016-1593.html
- http://rhn.redhat.com/errata/RHSA-2016-2035.html
- http://rhn.redhat.com/errata/RHSA-2016-2036.html
- http://www.securityfocus.com/bid/90853
- http://www.securitytracker.com/id/1036587
- https://access.redhat.com/errata/RHSA-2016:1218
- https://access.redhat.com/errata/RHSA-2016:1219
- https://jira.spring.io/browse/SPR-13136
- https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162015.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162017.html
- http://pivotal.io/security/cve-2015-3192
- http://rhn.redhat.com/errata/RHSA-2016-1592.html
- http://rhn.redhat.com/errata/RHSA-2016-1593.html
- http://rhn.redhat.com/errata/RHSA-2016-2035.html
- http://rhn.redhat.com/errata/RHSA-2016-2036.html
- http://www.securityfocus.com/bid/90853
- http://www.securitytracker.com/id/1036587
- https://access.redhat.com/errata/RHSA-2016:1218
- https://access.redhat.com/errata/RHSA-2016:1219
- https://jira.spring.io/browse/SPR-13136
- https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html