CVE-2013-6429

EPSS 58.21%
Veröffentlicht 26.01.2014 16:58:10
Zuletzt bearbeitet 11.04.2025 00:51:21
Quelle secalert@redhat.com
Teams Watchlist Login
Unerledigt Login

The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 10

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Pivotal Software ≫ Spring Framework Version >= 3.0.0 <= 3.2.4

VMware ≫ Spring Framework Version4.0.0 Updatemilestone1

VMware ≫ Spring Framework Version4.0.0 Updatemilestone2

VMware ≫ Spring Framework Version4.0.0 Updaterc1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	58.21%	0.981

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

http://rhn.redhat.com/errata/RHSA-2014-0400.html

Third Party Advisory

http://secunia.com/advisories/57915

Third Party Advisory

http://www.gopivotal.com/security/cve-2013-6429

Third Party Advisory

http://www.securityfocus.com/archive/1/530770/100/0/threaded

Third Party Advisory

VDB Entry

http://www.securityfocus.com/bid/64947

Third Party Advisory

VDB Entry