CVE-2014-1904 (Low) detected in spring-webmvc-3.1.0.RELEASE.jar - autoclosed

[mend-for-github-com]

CVE-2014-1904 - Low Severity Vulnerability

Vulnerable Library - spring-webmvc-3.1.0.RELEASE.jar

Spring Framework Parent

Path to dependency file: /dd-java-agent/instrumentation/spring-webmvc-3.1/spring-webmvc-3.1.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.springframework/spring-webmvc/3.1.0.RELEASE/9a9c88df8825ff3c2ecb79f7ac29ad1e229e6fd6/spring-webmvc-3.1.0.RELEASE.jar

Dependency Hierarchy:

• ❌ spring-webmvc-3.1.0.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 2819174635979a19573ec0ce8e3e2b63a3848079

Found in base branch: master

Vulnerability Details

Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.

Publish Date: 2014-03-20

URL: CVE-2014-1904

CVSS 3 Score Details (3.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2014-1904

Release Date: 2014-03-20

Fix Resolution: 3.2.8.RELEASE

---

⛑️ Automatic Remediation is available for this issue