CVE-2014-3004 — Improper Restriction of XML External Entity Reference in Castor

Description

The default configuration for the Xerces SAX Parser in Castor before 1.3.3 allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XML document.

How to fix CVE-2014-3004

To remediate CVE-2014-3004, upgrade the affected package to a fixed version below.

Maven/castor:castor—no fix listed
Maven/org.codehaus.castor:castor—upgrade to 1.3.3 or later

Is CVE-2014-3004 being exploited?

Low — EPSS is 3.6%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, <= 1.0
from 0, < 1.3.3

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-3004
PATCHgithub.com/castor-data-binding/castor
WEBlists.opensuse.org/opensuse-updates/2014-06/msg00043.html
WEBpacketstormsecurity.com/files/126854/Castor-Library-XXE-Disclosure.html