CVE-2013-6429

CWE-352Cross-Site Request Forgery (CSRF)CWE-611XML External Entity (XXE)11 documents7 sources
Severity
6.8MEDIUM
EPSS
38.7%
top 2.74%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Pivotal Software Spring FrameworkVmware Spring Framework
Timeline
PublishedJan 26
Latest updateMay 13

Description

The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages4 packages

Mavenorg.springframework:spring-web< 3.2.5.RELEASE
Debianlibspring-java< 3.0.6.RELEASE-11+3

🔴Vulnerability Details

5
GHSA
Cross-Site Request Forgery in Spring Framework2022-05-13
OSV
Cross-Site Request Forgery in Spring Framework2022-05-13
GHSA
Cross-Site Request Forgery in Spring Framework2022-05-13
CVEList
CVE-2013-6429: The SourceHttpMessageConverter in Spring MVC in Spring Framework before 32014-01-26
OSV
CVE-2013-6429: The SourceHttpMessageConverter in Spring MVC in Spring Framework before 32014-01-26

📋Vendor Advisories

3
Red Hat
Framework: incomplete fix for CVE-2013-7315/CVE-2013-64292014-01-31
Red Hat
Framework: XML External Entity (XXE) injection flaw2014-01-14
Debian
CVE-2013-6429: libspring-java - The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 an...2013

💬Community

2
Bugzilla
CVE-2014-0054 Spring Framework: incomplete fix for CVE-2013-7315/CVE-2013-64292014-03-12
Bugzilla
CVE-2013-6429 Spring Framework: XML External Entity (XXE) injection flaw2014-01-14