VMware offers training and certification to turbo-charge your progress.Learn more
It was identified that Spring MVC processed user provided XML with JAXB in combination with a StAX XMLInputFactory without disabling external entity resolution. External entity resolution has been disabled in this case. It was subsequently discovered that this fix was incomplete (CVE-2013-6429, CVE-2014-0054).
Users of affected versions should apply the following mitigation:
These issues were identified by Alvaro Munoz of the HP Enterprise Security Team.
The VMware Security Response team provides a single point of contact for the reporting of security vulnerabilities in VMware Tanzu products and coordinates the process of investigating any reported vulnerabilities.
To report a security vulnerability in a VMware service or product please refer to the VMware Security Response Policy.