XML External Entity injection in Play Framework - CVE-2014-3630
Published: December 29, 2017 / Updated: August 8, 2020
Vulnerability identifier: #VU37721
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2014-3630
CWE-ID: CWE-611
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Jenkins
Affected software:
Play Framework
Play Framework
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
XML external entity (XXE) vulnerability in the Java XML processing functionality in Play before 2.2.6 and 2.3.x before 2.3.5 might allow remote attackers to read arbitrary files, cause a denial of service, or have unspecified other impact via crafted XML data.
How to mitigate CVE-2014-3630
Install update from vendor's website.
Sources
- https://groups.google.com/forum/#!msg/play-framework/7uNX_ImTW08/AogWSjsTAyQJ
- https://groups.google.com/forum/#!topic/play-framework/WdbFvemsFDQ
- https://infocon.org/cons/SyScan/SyScan%202015%20Singapore/SyScan%202015%20Singapore%20presentations/SyScan15%20David%20Jorm%20-%20Finding%20and%20exploiting%20novel%20flaws%20in%20Java%20software.pdf
- https://playframework.com/security/vulnerability/CVE-2014-3630-XmlExternalEntity