-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE-2014-0054 Incomplete fix for CVE-2013-4152 / CVE-2013-6429 (XXE)
Severity: Important
Vendor: Spring by Pivotal
Versions Affected:
- - Spring MVC 3.0.0 to 3.2.8
- - Spring MVC 4.0.0 to 4.0.1
- - Earlier unsupported versions may be affected
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE-2014-0097 Blank password may bypass user authentication
Severity: Important
Vendor: Spring by Pivotal
Versions Affected:
- - Spring Security 3.2.0 to 3.2.1
- - Spring Security 3.1.0 to 3.1.5
Description:
The ActiveDirectoryLdapAuthenticator
to 3.2.8 or later
- - Users of 4.x should upgrade to 4.0.2 or later
Credit:
This issue was discovered and reported responsibly to the Pivotal security team
by Paul Wowk of CAaNES LLC.
References:
https://jira.springsource.org/browse/SPR-11426
https://github.com/spring-projects/spring-framework/commit
responsible reporting of security vulnerabilities via
secur...@gopivotal.com
The /META-INF aspects of this issue were identified by numerous
individuals and reported responsibly to either the Grails team or to
the Pivotal Security team.
The directory traversal aspects of this vulnerability were reported
CVE-2014-0053 Information Disclosure in Grails applications
Severity: Important
Vendor: Grails by Pivotal
Versions Affected:
- Grails 2.0.0 to 2.3.5
Description:
The Grails resources plug-in, a default dependency of Grails since
2.0.0, does not block access to resources located under /WEB-INF
Severity: Important
Vendor: Spring by Pivotal
Versions Affected:
- Spring MVC 3.0.0 to 3.2.4
- Spring MVC 4.0.0.M1-4.0.0.RC1
- Earlier unsupported versions may be affected
Description:
Spring MVC's SourceHttpMessageConverter also processed user provided XML and
neither disabled XML external
:
This issue was originally reported to the Spring Framework developers by Jon
Passki and the security implications brough to the attention of the Pivotal
security team by Arun Neelicattu.
References:
http://www.gopivotal.com/security/cve-2013-6430
https://jira.springsource.org/browse/SPR-9983
https
Severity: Important
Vendor: Spring by Pivotal
Versions Affected:
- 3.0.0 to 3.2.3 (Spring OXM Spring MVC)
- 4.0.0.M1 (Spring OXM)
- 4.0.0.M1-4.0.0.M2 (Spring MVC)
- Earlier unsupported versions may also be affected
Description:
The Spring OXM wrapper did not expose any property for disabling