Medium severity5.5NVD Advisory· Published Jul 12, 2016· Updated May 6, 2026
CVE-2015-3192
CVE-2015-3192
Description
Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework:spring-webMaven | < 3.2.14 | 3.2.14 |
org.springframework:spring-webMaven | >= 4.0.0, < 4.1.7 | 4.1.7 |
org.springframework:spring-webMaven | >= 5.0.0.RC2, < 5.0.0.RC3 | 5.0.0.RC3 |
Affected products
23cpe:2.3:a:pivotal_software:spring_framework:3.2.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:pivotal_software:spring_framework:3.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:3.2.1:*:*:*:*:*:*:*+ 18 more
- cpe:2.3:a:vmware:spring_framework:3.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.2.9:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.2.10:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.2.11:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.2.12:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.2.13:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:4.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:4.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:4.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:4.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:4.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:4.1.6:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*
Patches
65a711c05ec75d79ec68db40ce4651d6b50c50411435bac8338b8262e1e2d9c3580d04e84Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
25- pivotal.io/security/cve-2015-3192nvdVendor Advisory
- github.com/advisories/GHSA-6v7w-535j-rq5mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-3192ghsaADVISORY
- lists.fedoraproject.org/pipermail/package-announce/2015-July/162015.htmlnvdWEB
- lists.fedoraproject.org/pipermail/package-announce/2015-July/162017.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2016-1592.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2016-1593.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2016-2035.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2016-2036.htmlnvdWEB
- www.securityfocus.com/bid/90853nvdWEB
- www.securitytracker.com/id/1036587nvdWEB
- access.redhat.com/errata/RHSA-2016:1218nvdWEB
- access.redhat.com/errata/RHSA-2016:1219nvdWEB
- github.com/spring-projects/spring-framework/commit/0411435bac835de88a80a64b3f67b1b89244e907ghsaWEB
- github.com/spring-projects/spring-framework/commit/38b8262e1e2db9be9d2171d81547da5c65ba7e09ghsaWEB
- github.com/spring-projects/spring-framework/commit/5a711c05ec750f069235597173084c2ee7962424ghsaWEB
- github.com/spring-projects/spring-framework/commit/9c3580d04e84d25a90ef4c249baee1b4e02df15eghsaWEB
- github.com/spring-projects/spring-framework/commit/d79ec68db40c381b8e205af52748ebd3163ee33bghsaWEB
- github.com/spring-projects/spring-framework/commit/e4651d6b50c5bc85c84ff537859c212ac4e33434ghsaWEB
- github.com/spring-projects/spring-framework/issues/17727ghsaWEB
- github.com/spring-projects/spring-framework/issues/20352ghsaWEB
- jira.spring.io/browse/SPR-13136nvdWEB
- jira.spring.io/browse/SPR-13136ghsaWEB
- lists.debian.org/debian-lts-announce/2019/07/msg00012.htmlnvdWEB
- spring.io/security/cve-2015-3192ghsaWEB
News mentions
0No linked articles in our index yet.