cbcvebase.
CVE-2013-6429
published 2014-01-26

CVE-2013-6429: The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which…

medium6.8CVSS 3.1
AVNACMAuNCPIPAP
The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.

Affected

29 ranges· showing 25
VendorProductVersion rangeFixed in
debianlibspring-java< libspring-java 3.0.6.RELEASE-13 (bookworm)libspring-java 3.0.6.RELEASE-13 (bookworm)
debianlibspring-java< libspring-java 3.0.6.RELEASE-11 (bookworm)libspring-java 3.0.6.RELEASE-11 (bookworm)
pivotal_softwarespring_framework3.0.0 – 3.2.4
springsourcespring_framework
springsourcespring_framework
springsourcespring_framework
springsourcespring_framework
springsourcespring_framework
springsourcespring_framework
springsourcespring_framework
springsourcespring_framework
springsourcespring_framework
springsourcespring_framework
springsourcespring_framework
springsourcespring_framework
vmwarespring_framework<= 3.2.7
vmwarespring_framework
vmwarespring_framework
vmwarespring_framework
vmwarespring_framework
vmwarespring_framework
vmwarespring_framework
vmwarespring_framework
vmwarespring_framework
vmwarespring_framework

CVSS provenance

nvd6.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
ghsa6.8MEDIUM
osv6.8MEDIUM