Xxe

2014-01-2321:55:00

PRIOn knowledge base

www.prio-n.com

9.2 High

AI Score

Confidence

High

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.006 Low

EPSS

Percentile

77.2%

JSON

The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.

CPENameOperatorVersion
spring_frameworkeq3.0.0 m2
spring_frameworkeq3.0.1
spring_frameworkeq3.0.0 rc3
spring_frameworkeq3.0.5
spring_frameworkeq3.0.2
spring_frameworkeq3.0.0 m3
spring_frameworkeq3.0.0 rc2
spring_frameworkeq3.0.0 m1
spring_frameworkeq3.0.4
spring_frameworkeq3.0.0 rc1

Name	Operator	Version
spring_framework	eq	3.0.0 m2
spring_framework	eq	3.0.1
spring_framework	eq	3.0.0 rc3
spring_framework	eq	3.0.5
spring_framework	eq	3.0.2
spring_framework	eq	3.0.0 m3
spring_framework	eq	3.0.0 rc2
spring_framework	eq	3.0.0 m1
spring_framework	eq	3.0.4
spring_framework	eq	3.0.0 rc1