CVE-2013-4152Cross-Site Request Forgery in Vmware Spring Framework

CWE-264CWE-352Cross-Site Request ForgeryCWE-611XML External Entity (XXE) InjectionCWE-112Missing XML Validation14 documents7 sources
Severity
6.8MEDIUMNVD
EPSS
72.3%
top 1.24%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Vmware Spring FrameworkSpringsource Spring Framework
Timeline
PublishedJan 23
Latest updateMay 13

Description

The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages2 packages

Patches

Patch: github.comPatch: jira.springsource.orgPatch: github.com

🔴Vulnerability Details

7
OSV
Cross-Site Request Forgery in Spring Framework2022-05-13
GHSA
Cross-Site Request Forgery in Spring Framework2022-05-13
GHSA
Cross-Site Request Forgery in Spring Framework2022-05-13
GHSA
Missing XML Validation in Spring Framework2022-05-13
GHSA
Cross-Site Request Forgery in Spring Framework2022-05-13

📋Vendor Advisories

4
Red Hat
Framework: incomplete fix for CVE-2013-7315/CVE-2013-64292014-01-31
Red Hat
Framework: XML External Entity (XXE) injection flaw2014-01-14
Red Hat
Framework: XML External Entity (XXE) injection flaw2013-08-22
Debian
CVE-2013-4152: libspring-java - The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using...2013

💬Community

2
Bugzilla
CVE-2013-6429 Spring Framework: XML External Entity (XXE) injection flaw2014-01-14
Bugzilla
CVE-2013-4152 Spring Framework: XML External Entity (XXE) injection flaw2013-08-22
CVE-2013-4152 — Cross-Site Request Forgery in Vmware | cvebase