Lucene search

[email protected]CVE-2013-7315

HistoryJan 23, 2014 - 9:55 p.m.

CVE-2013-7315

2014-01-2321:55:05

CWE-264

[email protected]

web.nvd.nist.gov

cve

2013

7315

spring mvc

spring framework

xxe attacks

xml

jaxb

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

6.1 Medium

AI Score

Confidence

High

0.937 High

EPSS

Percentile

99.1%

JSON

The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.

Affected configurations

NVD

Node

springsourcespring_frameworkMatch3.0.0

springsourcespring_frameworkMatch3.0.0m1

springsourcespring_frameworkMatch3.0.0m2

springsourcespring_frameworkMatch3.0.0m3

springsourcespring_frameworkMatch3.0.0m4

springsourcespring_frameworkMatch3.0.0rc1

springsourcespring_frameworkMatch3.0.0rc2

springsourcespring_frameworkMatch3.0.0rc3

springsourcespring_frameworkMatch3.0.0.m1

springsourcespring_frameworkMatch3.0.0.m2

springsourcespring_frameworkMatch3.0.1

springsourcespring_frameworkMatch3.0.2

springsourcespring_frameworkMatch3.0.3

springsourcespring_frameworkMatch3.0.4

springsourcespring_frameworkMatch3.0.5

vmwarespring_frameworkRange≤3.2.3

vmwarespring_frameworkMatch3.0.6

vmwarespring_frameworkMatch3.0.7

vmwarespring_frameworkMatch3.1.0

vmwarespring_frameworkMatch3.1.1

vmwarespring_frameworkMatch3.1.2

vmwarespring_frameworkMatch3.1.3

vmwarespring_frameworkMatch3.1.4

vmwarespring_frameworkMatch3.2.0

vmwarespring_frameworkMatch3.2.1

vmwarespring_frameworkMatch3.2.2

vmwarespring_frameworkMatch4.0.0milestone1

vmwarespring_frameworkMatch4.0.0milestone2

CPENameOperatorVersion
springsource:spring_frameworkspringsource spring frameworkeq3.0.0
springsource:spring_frameworkspringsource spring frameworkeq3.0.0.m1
springsource:spring_frameworkspringsource spring frameworkeq3.0.0.m2
springsource:spring_frameworkspringsource spring frameworkeq3.0.1
springsource:spring_frameworkspringsource spring frameworkeq3.0.2
springsource:spring_frameworkspringsource spring frameworkeq3.0.3
springsource:spring_frameworkspringsource spring frameworkeq3.0.4
springsource:spring_frameworkspringsource spring frameworkeq3.0.5
vmware:spring_frameworkvmware spring frameworkle3.2.3
vmware:spring_frameworkvmware spring frameworkeq3.0.6

CPE	Name	Operator	Version
springsource:spring_framework	springsource spring framework	eq	3.0.0
springsource:spring_framework	springsource spring framework	eq	3.0.0.m1
springsource:spring_framework	springsource spring framework	eq	3.0.0.m2
springsource:spring_framework	springsource spring framework	eq	3.0.1
springsource:spring_framework	springsource spring framework	eq	3.0.2
springsource:spring_framework	springsource spring framework	eq	3.0.3
springsource:spring_framework	springsource spring framework	eq	3.0.4
springsource:spring_framework	springsource spring framework	eq	3.0.5
vmware:spring_framework	vmware spring framework	le	3.2.3
vmware:spring_framework	vmware spring framework	eq	3.0.6