6.8

CVE-2013-4152

Exploit
The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
SpringsourceSpring Framework Version3.0.0
SpringsourceSpring Framework Version3.0.0 Updatem1
SpringsourceSpring Framework Version3.0.0 Updatem2
SpringsourceSpring Framework Version3.0.0 Updatem3
SpringsourceSpring Framework Version3.0.0 Updatem4
SpringsourceSpring Framework Version3.0.0 Updaterc1
SpringsourceSpring Framework Version3.0.0 Updaterc2
SpringsourceSpring Framework Version3.0.0 Updaterc3
SpringsourceSpring Framework Version3.0.0.m1
SpringsourceSpring Framework Version3.0.0.m2
SpringsourceSpring Framework Version3.0.1
SpringsourceSpring Framework Version3.0.2
SpringsourceSpring Framework Version3.0.3
SpringsourceSpring Framework Version3.0.4
SpringsourceSpring Framework Version3.0.5
VMwareSpring Framework Version <= 3.2.3
VMwareSpring Framework Version3.0.6
VMwareSpring Framework Version3.0.7
VMwareSpring Framework Version3.1.0
VMwareSpring Framework Version3.1.1
VMwareSpring Framework Version3.1.2
VMwareSpring Framework Version3.1.3
VMwareSpring Framework Version3.1.4
VMwareSpring Framework Version3.2.0
VMwareSpring Framework Version3.2.1
VMwareSpring Framework Version3.2.2
VMwareSpring Framework Version4.0.0 Updatemilestone1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 26.47% 0.978
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.8 8.6 6.4
AV:N/AC:M/Au:N/C:P/I:P/A:P
Es wurden noch keine Informationen zu CWE veröffentlicht.
http://rhn.redhat.com/errata/RHSA-2014-0212.html
http://rhn.redhat.com/errata/RHSA-2014-0245.html
http://rhn.redhat.com/errata/RHSA-2014-0254.html
http://rhn.redhat.com/errata/RHSA-2014-0400.html
http://secunia.com/advisories/57915
http://seclists.org/bugtraq/2013/Aug/154
http://seclists.org/fulldisclosure/2013/Nov/14
http://secunia.com/advisories/56247
http://www.debian.org/security/2014/dsa-2842
http://www.gopivotal.com/security/cve-2013-4152
Vendor Advisory
http://www.securityfocus.com/bid/61951
https://github.com/spring-projects/spring-framework/pull/317/files
Patch
https://jira.springsource.org/browse/SPR-10806
Patch
Exploit