logo

Database

Insecure functionality In libspring-java

Description

Missing XML Validation in Spring Framework The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2013-73152. NVD-2013-73153. OSV-DEBIAN-2013-73154. OSV-2013-73155. GCVE-2013-73156. SECURITY-TRACKER-CVE-2013-73157. bugzilla.redhat.com

References

1. https://github.com/spring-projects/spring-framework/issues/154322. https://github.com/spring-projects/spring-framework/commit/434735fbf6e7f9051af2ef027657edb99120b1733. https://github.com/spring-projects/spring-framework/commit/7576274874deeccb6da6b09a8d5bd62e8b5538b74. https://jira.spring.io/browse/SPR-10806?redirect=false5. http://seclists.org/bugtraq/2013/Aug/1546. http://seclists.org/fulldisclosure/2013/Nov/147. http://www.debian.org/security/2014/dsa-28428. http://www.securityfocus.com/bid/779989. http://www.gopivotal.com/security/cve-2013-4152

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.