QwikSec

Security Database

CVE

CWE

Training

CVE-2013-7315

Published: Jan 23, 2014

Modified: Aug 6, 2024

PUBLISHED

Description

The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

http://www.gopivotal.com/security/cve-2013-4152

x_refsource_CONFIRM

20131102 XXE Injection in Spring Framework

mailing-list

x_refsource_FULLDISC

20130822 CVE-2013-4152 XML External Entity (XXE) injection in Spring Framework

mailing-list

x_refsource_BUGTRAQ

vendor-advisory

x_refsource_DEBIAN

vdb-entry

x_refsource_BID

https://jira.springsource.org/browse/SPR-10806

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.