Lucene search

[email protected]NVD:CVE-2013-4152

HistoryJan 23, 2014 - 9:55 p.m.

CVE-2013-4152

2014-01-2321:55:04

CWE-264

[email protected]

web.nvd.nist.gov

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

AI Score

7.2

Confidence

High

EPSS

0.937

Percentile

99.1%

JSON

The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.

Affected configurations

Nvd

Node

springsourcespring_frameworkMatch3.0.0

springsourcespring_frameworkMatch3.0.0m1

springsourcespring_frameworkMatch3.0.0m2

springsourcespring_frameworkMatch3.0.0m3

springsourcespring_frameworkMatch3.0.0m4

springsourcespring_frameworkMatch3.0.0rc1

springsourcespring_frameworkMatch3.0.0rc2

springsourcespring_frameworkMatch3.0.0rc3

springsourcespring_frameworkMatch3.0.0.m1

springsourcespring_frameworkMatch3.0.0.m2

springsourcespring_frameworkMatch3.0.1

springsourcespring_frameworkMatch3.0.2

springsourcespring_frameworkMatch3.0.3

springsourcespring_frameworkMatch3.0.4

springsourcespring_frameworkMatch3.0.5

vmwarespring_frameworkRange≤3.2.3

vmwarespring_frameworkMatch3.0.6

vmwarespring_frameworkMatch3.0.7

vmwarespring_frameworkMatch3.1.0

vmwarespring_frameworkMatch3.1.1

vmwarespring_frameworkMatch3.1.2

vmwarespring_frameworkMatch3.1.3

vmwarespring_frameworkMatch3.1.4

vmwarespring_frameworkMatch3.2.0

vmwarespring_frameworkMatch3.2.1

vmwarespring_frameworkMatch3.2.2

vmwarespring_frameworkMatch4.0.0milestone1

VendorProductVersionCPE
springsourcespring_framework3.0.0cpe:2.3:a:springsource:spring_framework:3.0.0:*:*:*:*:*:*:*
springsourcespring_framework3.0.0cpe:2.3:a:springsource:spring_framework:3.0.0:m1:*:*:*:*:*:*
springsourcespring_framework3.0.0cpe:2.3:a:springsource:spring_framework:3.0.0:m2:*:*:*:*:*:*
springsourcespring_framework3.0.0cpe:2.3:a:springsource:spring_framework:3.0.0:m3:*:*:*:*:*:*
springsourcespring_framework3.0.0cpe:2.3:a:springsource:spring_framework:3.0.0:m4:*:*:*:*:*:*
springsourcespring_framework3.0.0cpe:2.3:a:springsource:spring_framework:3.0.0:rc1:*:*:*:*:*:*
springsourcespring_framework3.0.0cpe:2.3:a:springsource:spring_framework:3.0.0:rc2:*:*:*:*:*:*
springsourcespring_framework3.0.0cpe:2.3:a:springsource:spring_framework:3.0.0:rc3:*:*:*:*:*:*
springsourcespring_framework3.0.0.m1cpe:2.3:a:springsource:spring_framework:3.0.0.m1:*:*:*:*:*:*:*
springsourcespring_framework3.0.0.m2cpe:2.3:a:springsource:spring_framework:3.0.0.m2:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
springsource	spring_framework	3.0.0	cpe:2.3:a:springsource:spring_framework:3.0.0:::::::*
springsource	spring_framework	3.0.0	cpe:2.3:a:springsource:spring_framework:3.0.0:m1::::::
springsource	spring_framework	3.0.0	cpe:2.3:a:springsource:spring_framework:3.0.0:m2::::::
springsource	spring_framework	3.0.0	cpe:2.3:a:springsource:spring_framework:3.0.0:m3::::::
springsource	spring_framework	3.0.0	cpe:2.3:a:springsource:spring_framework:3.0.0:m4::::::
springsource	spring_framework	3.0.0	cpe:2.3:a:springsource:spring_framework:3.0.0:rc1::::::
springsource	spring_framework	3.0.0	cpe:2.3:a:springsource:spring_framework:3.0.0:rc2::::::
springsource	spring_framework	3.0.0	cpe:2.3:a:springsource:spring_framework:3.0.0:rc3::::::
springsource	spring_framework	3.0.0.m1	cpe:2.3:a:springsource:spring_framework:3.0.0.m1:::::::*
springsource	spring_framework	3.0.0.m2	cpe:2.3:a:springsource:spring_framework:3.0.0.m2:::::::*