Published: 23/01/2014 Updated: 11/04/2022

CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6

VMScore: 606

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

The Spring OXM wrapper in Spring Framework prior to 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent malicious users to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.

Vulnerable Product	Search on Vulmon	Subscribe to Product
vmware spring framework
vmware spring framework 3.2.2
vmware spring framework 3.1.0
vmware spring framework 3.0.7
springsource spring framework 3.0.0.m2
springsource spring framework 3.0.0.m1
springsource spring framework 3.0.0
vmware spring framework 3.1.4
vmware spring framework 3.1.3
springsource spring framework 3.0.4
springsource spring framework 3.0.3
vmware spring framework 3.1.2
vmware spring framework 3.1.1
springsource spring framework 3.0.2
springsource spring framework 3.0.1
vmware spring framework 3.2.1
vmware spring framework 3.2.0
vmware spring framework 3.0.6
vmware spring framework 4.0.0
springsource spring framework 3.0.5

Debian Bug report logs - #720902 libspring-java: CVE-2013-4152 Package: libspring-java; Maintainer for libspring-java is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Moritz Muehlenhoff <jmm@inutilorg> Date: Mon, 26 Aug 2013 06:51:02 UTC Severity: grave Tags: security Found in ...

Debian Bug report logs - #741604 libspring-java: Multiple security issues Package: libspring-java; Maintainer for libspring-java is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Moritz Muehlenhoff <jmm@inutilorg> Date: Fri, 14 Mar 2014 12:39:01 UTC Owned by: Miguel Landaeta < ...

Alvaro Munoz discovered a XML External Entity (XXE) injection in the Spring Framework which can be used for conducting CSRF and DoS attacks on other sites The Spring OXM wrapper did not expose any property for disabling entity resolution when using the JAXB unmarshaller There are four possible source implementations passed to the unmarshaller: D ...

It was discovered by the Spring development team that the fix for the XML External Entity (XXE) Injection (CVE-2013-4152) in the Spring Framework was incomplete Spring MVC's SourceHttpMessageConverter also processed user provided XML and neither disabled XML external entities nor provided an option to disable them SourceHttpMessageConverter has b ...

The Spring OXM wrapper in Spring Framework before 324 and 400M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSou ...

CWE-264 http://seclists.org/bugtraq/2013/Aug/154 http://www.gopivotal.com/security/cve-2013-4152 https://github.com/spring-projects/spring-framework/pull/317/files http://www.debian.org/security/2014/dsa-2842 http://seclists.org/fulldisclosure/2013/Nov/14 https://jira.springsource.org/browse/SPR-10806 http://secunia.com/advisories/56247 http://rhn.redhat.com/errata/RHSA-2014-0212.html http://rhn.redhat.com/errata/RHSA-2014-0254.html http://rhn.redhat.com/errata/RHSA-2014-0245.html http://rhn.redhat.com/errata/RHSA-2014-0400.html http://secunia.com/advisories/57915 http://www.securityfocus.com/bid/61951 https://nvd.nist.gov https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=720902 https://access.redhat.com/security/cve/cve-2013-4152 https://www.debian.org/security/./dsa-2842

CVE-2013-4152

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect