CVE-2013-6429

2014-01-2616:58:00

CWE-611

CWE-352

[email protected]

web.nvd.nist.gov

102

cve-2013-6429

sourcehttpmessageconverter

spring mvc

spring framework

xxe

xml external entity

denial of service

csrf

nvd

7 High

AI Score

Confidence

High

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.765 High

EPSS

Percentile

98.2%

JSON

The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.

CPENameOperatorVersion
pivotal_software:spring_frameworkpivotal software spring frameworkle3.2.4
vmware:spring_frameworkvmware spring frameworkeq4.0.0