Direct Web Remoting (DWR) vulnerable to XML external entity injection


Direct Web Remoting (DWR) is a Java framework for developing Ajax into web applications. DWR contains an XML external entity injection vulnerability (CWE-611).

Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 5.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: Partial
Affected Products

Direct Web Remoting
  • DWR Version 2.0.10 and earlier
  • DWR Version 3.0.RC2 and earlier


When an application uses a function to convert DOM data (DOMConverter, JDOMConverter, DOM4JConverter or XOMConverter) and a specially crafted request is processed, arbitrary files may be read.

[Update the Software]
Update to the latest version of DWR according to the information provided by the developer and rebuild your application.
Vendor Information

Direct Web Remoting
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2014-5325

  1. JVN : JVN#91502163
  2. National Vulnerability Database (NVD) : CVE-2014-5325
Revision History

  • [2014/11/14]
      Web page was published
      References : Content was added