Lucene search

[email protected]CVE-2013-4152

HistoryJan 23, 2014 - 9:55 p.m.

CVE-2013-4152

2014-01-2321:55:04

CWE-264

[email protected]

web.nvd.nist.gov

160

cve-2013-4152

spring framework

oxm wrapper

xml external entity

file read

denial of service

csrf

nvd

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

5.7 Medium

AI Score

Confidence

High

0.937 High

EPSS

Percentile

99.1%

JSON

The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.

Affected configurations

NVD

Node

springsourcespring_frameworkMatch3.0.0

springsourcespring_frameworkMatch3.0.0m1

springsourcespring_frameworkMatch3.0.0m2

springsourcespring_frameworkMatch3.0.0m3

springsourcespring_frameworkMatch3.0.0m4

springsourcespring_frameworkMatch3.0.0rc1

springsourcespring_frameworkMatch3.0.0rc2

springsourcespring_frameworkMatch3.0.0rc3

springsourcespring_frameworkMatch3.0.0.m1

springsourcespring_frameworkMatch3.0.0.m2

springsourcespring_frameworkMatch3.0.1

springsourcespring_frameworkMatch3.0.2

springsourcespring_frameworkMatch3.0.3

springsourcespring_frameworkMatch3.0.4

springsourcespring_frameworkMatch3.0.5

vmwarespring_frameworkRange≤3.2.3

vmwarespring_frameworkMatch3.0.6

vmwarespring_frameworkMatch3.0.7

vmwarespring_frameworkMatch3.1.0

vmwarespring_frameworkMatch3.1.1

vmwarespring_frameworkMatch3.1.2

vmwarespring_frameworkMatch3.1.3

vmwarespring_frameworkMatch3.1.4

vmwarespring_frameworkMatch3.2.0

vmwarespring_frameworkMatch3.2.1

vmwarespring_frameworkMatch3.2.2

vmwarespring_frameworkMatch4.0.0milestone1

CPENameOperatorVersion
springsource:spring_frameworkspringsource spring frameworkeq3.0.0
springsource:spring_frameworkspringsource spring frameworkeq3.0.0.m1
springsource:spring_frameworkspringsource spring frameworkeq3.0.0.m2
springsource:spring_frameworkspringsource spring frameworkeq3.0.1
springsource:spring_frameworkspringsource spring frameworkeq3.0.2
springsource:spring_frameworkspringsource spring frameworkeq3.0.3
springsource:spring_frameworkspringsource spring frameworkeq3.0.4
springsource:spring_frameworkspringsource spring frameworkeq3.0.5
vmware:spring_frameworkvmware spring frameworkle3.2.3
vmware:spring_frameworkvmware spring frameworkeq3.0.6

CPE	Name	Operator	Version
springsource:spring_framework	springsource spring framework	eq	3.0.0
springsource:spring_framework	springsource spring framework	eq	3.0.0.m1
springsource:spring_framework	springsource spring framework	eq	3.0.0.m2
springsource:spring_framework	springsource spring framework	eq	3.0.1
springsource:spring_framework	springsource spring framework	eq	3.0.2
springsource:spring_framework	springsource spring framework	eq	3.0.3
springsource:spring_framework	springsource spring framework	eq	3.0.4
springsource:spring_framework	springsource spring framework	eq	3.0.5
vmware:spring_framework	vmware spring framework	le	3.2.3
vmware:spring_framework	vmware spring framework	eq	3.0.6