1. Home
  2. Vulnerabilities
  3. CVE-2013-4152

CVE-2013-4152

CVSS v2.0 6.8 (Medium)
68% Progress
EPSS 93.67 % (99th)
93.67% Progress
Affected Products 2
Advisories 2
Info CVSS EPSS Affected Configurations References Security Advisories Packages & Software OVAL Tools, Exploits & PoC Graph Web & Social Timeline

The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.

Weaknesses
CWE-264
Permissions, Privileges, and Access Controls
Related CVEs
CVE Status
PUBLISHED
CNA
Red Hat, Inc.
Published Date
2014-01-23 21:55:04
(10 years ago)
Updated Date
2022-04-11 17:36:29
(2 years ago)

Affected Products

Springsource

Vmware

Configuration #1

    CPE23 From Up To
  Springsource Spring Framework 3.0.0 cpe:2.3:a:springsource:spring_framework:3.0.0
  Springsource Spring Framework 3.0.0 M1 cpe:2.3:a:springsource:spring_framework:3.0.0:m1
  Springsource Spring Framework 3.0.0 M2 cpe:2.3:a:springsource:spring_framework:3.0.0:m2
  Springsource Spring Framework 3.0.0 M3 cpe:2.3:a:springsource:spring_framework:3.0.0:m3
  Springsource Spring Framework 3.0.0 M4 cpe:2.3:a:springsource:spring_framework:3.0.0:m4
  Springsource Spring Framework 3.0.0 Rc1 cpe:2.3:a:springsource:spring_framework:3.0.0:rc1
  Springsource Spring Framework 3.0.0 Rc2 cpe:2.3:a:springsource:spring_framework:3.0.0:rc2
  Springsource Spring Framework 3.0.0 Rc3 cpe:2.3:a:springsource:spring_framework:3.0.0:rc3
  Springsource Spring Framework 3.0.0.m1 cpe:2.3:a:springsource:spring_framework:3.0.0.m1
  Springsource Spring Framework 3.0.0.m2 cpe:2.3:a:springsource:spring_framework:3.0.0.m2
  Springsource Spring Framework 3.0.1 cpe:2.3:a:springsource:spring_framework:3.0.1
  Springsource Spring Framework 3.0.2 cpe:2.3:a:springsource:spring_framework:3.0.2
  Springsource Spring Framework 3.0.3 cpe:2.3:a:springsource:spring_framework:3.0.3
  Springsource Spring Framework 3.0.4 cpe:2.3:a:springsource:spring_framework:3.0.4
  Springsource Spring Framework 3.0.5 cpe:2.3:a:springsource:spring_framework:3.0.5
  Vmware Spring Framework 3.2.3 and prior versions cpe:2.3:a:vmware:spring_framework <= 3.2.3
  Vmware Spring Framework 3.0.6 cpe:2.3:a:vmware:spring_framework:3.0.6
  Vmware Spring Framework 3.0.7 cpe:2.3:a:vmware:spring_framework:3.0.7
  Vmware Spring Framework 3.1.0 cpe:2.3:a:vmware:spring_framework:3.1.0
  Vmware Spring Framework 3.1.1 cpe:2.3:a:vmware:spring_framework:3.1.1
  Vmware Spring Framework 3.1.2 cpe:2.3:a:vmware:spring_framework:3.1.2
  Vmware Spring Framework 3.1.3 cpe:2.3:a:vmware:spring_framework:3.1.3
  Vmware Spring Framework 3.1.4 cpe:2.3:a:vmware:spring_framework:3.1.4
  Vmware Spring Framework 3.2.0 cpe:2.3:a:vmware:spring_framework:3.2.0
  Vmware Spring Framework 3.2.1 cpe:2.3:a:vmware:spring_framework:3.2.1
  Vmware Spring Framework 3.2.2 cpe:2.3:a:vmware:spring_framework:3.2.2
  Vmware Spring Framework 4.0.0 Milestone1 cpe:2.3:a:vmware:spring_framework:4.0.0:milestone1