CVE-2014-5325

Name of the Vulnerable Software and Affected Versions Direct Web Remoting (DWR) versions 2.0.10 and earlier, 3.x through 3.0.RC2

Description The issue allows remote attackers to read arbitrary files via DOM data containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. This is due to the DOMConverter, JDOMConverter, DOM4JConverter, and XOMConverter functions in Direct Web Remoting (DWR).

Recommendations For versions 2.0.10 and earlier, update to a version later than 2.0.10 to resolve the issue. For versions 3.x through 3.0.RC2, update to a version later than 3.0.RC2 to resolve the issue. As a temporary workaround, consider restricting the use of the DOMConverter, JDOMConverter, DOM4JConverter, and XOMConverter functions until a patch is available.