CVE-2014-3630

high-risk
Published 2017-12-29

XML external entity (XXE) vulnerability in the Java XML processing functionality in Play before 2.2.6 and 2.3.x before 2.3.5 might allow remote attackers to read arbitrary files, cause a denial of service, or have unspecified other impact via crafted XML data.

Do I need to act?

-
0.71% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (20)

Play Framework
Play Framework
Play Framework
Play Framework
Play Framework
Play Framework
Play Framework
Play Framework
Play Framework
Play Framework
Play Framework
Play Framework
Play Framework
Play Framework
Play Framework
Play Framework
Play Framework
Play Framework
Play Framework
Play Framework

Affected Vendors

Playframework Lightbend

References (8)

https://groups.google.com/forum/#%21msg/play-framework/7uNX_ImTW08/AogWSjsTAyQJ
https://groups.google.com/forum/#%21topic/play-framework/WdbFvemsFDQ
Issue Tracking https://infocon.org/cons/SyScan/SyScan%202015%20Singapore/SyScan%202015%20Singap...
Issue Tracking https://playframework.com/security/vulnerability/CVE-2014-3630-XmlExternalEntity
https://groups.google.com/forum/#%21msg/play-framework/7uNX_ImTW08/AogWSjsTAyQJ
https://groups.google.com/forum/#%21topic/play-framework/WdbFvemsFDQ
Issue Tracking https://infocon.org/cons/SyScan/SyScan%202015%20Singapore/SyScan%202015%20Singap...
Issue Tracking https://playframework.com/security/vulnerability/CVE-2014-3630-XmlExternalEntity
55
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 2/34 · Minimal
Exposure 21/34 · High