Vulnerability Details : CVE-2013-4152
Potential exploit
The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.
Vulnerability category: Cross-site request forgery (CSRF)XML external entity (XXE) injectionDenial of service
Products affected by CVE-2013-4152
- cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:4.0.0:milestone1:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.0:m1:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.0:m2:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.0.m2:*:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.0.m1:*:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.0:m4:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.0:m3:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.0:rc2:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2013-4152
84.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 99 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2013-4152
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST |
CWE ids for CVE-2013-4152
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-4152
-
http://secunia.com/advisories/57915
Sign in
-
http://rhn.redhat.com/errata/RHSA-2014-0400.html
RHSA-2014:0400 - Security Advisory - Red Hat Customer Portal
-
http://www.gopivotal.com/security/cve-2013-4152
CVE-2013-4152 XML eXternal Entity (XXE) injection in Spring Framework | Security | PivotalVendor Advisory
-
http://rhn.redhat.com/errata/RHSA-2014-0212.html
RHSA-2014:0212 - Security Advisory - Red Hat Customer Portal
-
http://seclists.org/fulldisclosure/2013/Nov/14
Full Disclosure: XXE Injection in Spring Framework
-
http://seclists.org/bugtraq/2013/Aug/154
Bugtraq: CVE-2013-4152 XML External Entity (XXE) injection in Spring Framework
-
https://jira.springsource.org/browse/SPR-10806
Fix potential security risk when using Spring OXM [SPR-10806] · Issue #15432 · spring-projects/spring-framework · GitHubExploit;Patch
-
http://rhn.redhat.com/errata/RHSA-2014-0245.html
RHSA-2014:0245 - Security Advisory - Red Hat Customer Portal
-
https://github.com/spring-projects/spring-framework/pull/317/files
Added 'processExternalEntities' to JAXB2Marshaller by poutsma · Pull Request #317 · spring-projects/spring-framework · GitHubPatch
-
http://www.debian.org/security/2014/dsa-2842
Debian -- Security Information -- DSA-2842-1 libspring-java
-
http://secunia.com/advisories/56247
Sign in
-
http://www.securityfocus.com/bid/61951
Spring Framework CVE-2013-4152 Multiple XML External Entity Injection Vulnerabilities
-
http://rhn.redhat.com/errata/RHSA-2014-0254.html
RHSA-2014:0254 - Security Advisory - Red Hat Customer Portal
Jump to