6.8

CVE-2013-7315

Exploit

EPSS 0.52%
Published 23.01.2014 21:55:05
Last modified 11.04.2025 00:51:21
Source cve@mitre.org
Teams watchlist Login
Open Login

The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152.  NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.

Affected products Warnungen 0 Metrics 2 CWE 0 References 9

Data is provided by the National Vulnerability Database (NVD)

Springsource ≫ Spring Framework Version3.0.0

Springsource ≫ Spring Framework Version3.0.0 Updatem1

Springsource ≫ Spring Framework Version3.0.0 Updatem2

Springsource ≫ Spring Framework Version3.0.0 Updatem3

Springsource ≫ Spring Framework Version3.0.0 Updatem4

Springsource ≫ Spring Framework Version3.0.0 Updaterc1

Springsource ≫ Spring Framework Version3.0.0 Updaterc2

Springsource ≫ Spring Framework Version3.0.0 Updaterc3

Springsource ≫ Spring Framework Version3.0.0.m1

Springsource ≫ Spring Framework Version3.0.0.m2

Springsource ≫ Spring Framework Version3.0.1

Springsource ≫ Spring Framework Version3.0.2

Springsource ≫ Spring Framework Version3.0.3

Springsource ≫ Spring Framework Version3.0.4

Springsource ≫ Spring Framework Version3.0.5

VMware ≫ Spring Framework Version <= 3.2.3

VMware ≫ Spring Framework Version3.0.6

VMware ≫ Spring Framework Version3.0.7

VMware ≫ Spring Framework Version3.1.0

VMware ≫ Spring Framework Version3.1.1

VMware ≫ Spring Framework Version3.1.2

VMware ≫ Spring Framework Version3.1.3

VMware ≫ Spring Framework Version3.1.4

VMware ≫ Spring Framework Version3.2.0

VMware ≫ Spring Framework Version3.2.1

VMware ≫ Spring Framework Version3.2.2

VMware ≫ Spring Framework Version4.0.0 Updatemilestone1

VMware ≫ Spring Framework Version4.0.0 Updatemilestone2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.52%	0.659

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P

http://seclists.org/bugtraq/2013/Aug/154

http://seclists.org/fulldisclosure/2013/Nov/14

http://www.debian.org/security/2014/dsa-2842

http://www.gopivotal.com/security/cve-2013-4152

Vendor Advisory

https://jira.springsource.org/browse/SPR-10806

Patch

Exploit

http://www.securityfocus.com/bid/77998

https://nvd.nist.gov/vuln/detail/CVE-2013-7315

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2013-7315

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2013-7315

EUVD