Lucene search

K

[email protected]NVD:CVE-2013-6429

HistoryJan 26, 2014 - 4:58 p.m.

CVE-2013-6429

2014-01-2616:58:10

CWE-611

CWE-352

[email protected]

web.nvd.nist.gov

1

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

7.2 High

AI Score

Confidence

High

0.937 High

EPSS

Percentile

99.1%

The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.

Affected configurations

NVD

Node

pivotal_softwarespring_frameworkRange3.0.0–3.2.4

OR

vmwarespring_frameworkMatch4.0.0milestone1

OR

vmwarespring_frameworkMatch4.0.0milestone2

OR

vmwarespring_frameworkMatch4.0.0rc1

References

rhn.redhat.com/errata/RHSA-2014-0400.html

secunia.com/advisories/57915

www.gopivotal.com/security/cve-2013-6429

www.securityfocus.com/archive/1/530770/100/0/threaded

www.securityfocus.com/bid/64947

h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755

jira.springsource.org/browse/SPR-11078?page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

7.2 High

AI Score

Confidence

High

0.937 High

EPSS

Percentile

99.1%

Related for NVD:CVE-2013-6429

debiancve4 cvelist5 cve5 osv5 ubuntucve4 prion5 github4 nvd4 openvas6 securityvulns6 ibm12 debian2 mageia2 nessus5 checkpoint_advisories3 redhat5