Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreWhen processing user provided XML documents, the Spring Framework did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.
Users of affected versions should apply the following mitigation:
This issue was discovered and reported responsibly to the Pivotal security team by Nebula(XIAOBAISHAN,CHIBI,HUBEI.CN) HelloWorld security team, DBappsecurity.com security team. Additional information demonstrating how a full XXE attack could be made was provided by David Jorm of the RedHat security team.
The VMware Security Response team provides a single point of contact for the reporting of security vulnerabilities in VMware Tanzu products and coordinates the process of investigating any reported vulnerabilities.
To report a security vulnerability in a VMware service or product please refer to the VMware Security Response Policy.