CVE-2014-3004

The default configuration for the Xerces SAX Parser in Castor before 1.3.3 allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XML document.

Published Bycve@mitre.org

Published DateJun 11, 2014, 14:55

Affected Versions(2)

org.codehaus.castor:castor(Maven)

Introduced0

Fixed1.3.3

LimitN/A

org.castor:castor(Maven)

Introduced0

FixedN/A

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.codehaus.castor:castor(Maven)	0	1.3.3	N/A
org.castor:castor(Maven)	0	N/A	N/A

Weakness Type (CWE):CWE-611

CVSS Metrics

Base Score

4.3

Vector String

AV:N/AC:M/Au:N/C:P/I:N/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

NONE

Availability (A)

NONE

References

Weakness Type (CWE):CWE-611

CVSS Metrics

Base Score

4.3

Vector String

AV:N/AC:M/Au:N/C:P/I:N/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

NONE

Availability (A)

NONE