[Japanese]

JVNDB-2014-000117

Direct Web Remoting (DWR) vulnerable to XML external entity injection

Overview

Direct Web Remoting (DWR) is a Java framework for developing Ajax into web applications. DWR contains an XML external entity injection vulnerability (CWE-611).

Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 5.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: Partial
Affected Products


Direct Web Remoting
  • DWR Version 2.0.10 and earlier
  • DWR Version 3.0.RC2 and earlier

Impact

When an application uses a function to convert DOM data (DOMConverter, JDOMConverter, DOM4JConverter or XOMConverter) and a specially crafted request is processed, arbitrary files may be read.
Solution

[Update the Software]
Update to the latest version of DWR according to the information provided by the developer and rebuild your application.
Vendor Information

Direct Web Remoting
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2014-5325
References

  1. JVN : JVN#91502163
  2. National Vulnerability Database (NVD) : CVE-2014-5325
Revision History

  • [2014/11/14]
      Web page was published
    [2014/11/25]
      References : Content was added

Date Public2014/11/14
Date First Published2014/11/14
Date Last Updated2014/11/25