cbcvebase.
CVE-2013-7315
published 2014-01-23

CVE-2013-7315: The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which…

medium6.8CVSS 3.1
AVNACMAuNCPIPAP
The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.

Affected

31 ranges· showing 25
VendorProductVersion rangeFixed in
debianlibspring-java< libspring-java 3.0.6.RELEASE-13 (bookworm)libspring-java 3.0.6.RELEASE-13 (bookworm)
debianlibspring-java< libspring-java 3.0.6.RELEASE-11 (bookworm)libspring-java 3.0.6.RELEASE-11 (bookworm)
debianlibspring-java< libspring-java 3.0.6.RELEASE-10 (bookworm)libspring-java 3.0.6.RELEASE-10 (bookworm)
pivotal_softwarespring_framework3.0.0 – 3.2.4
springsourcespring_framework
springsourcespring_framework
springsourcespring_framework
springsourcespring_framework
springsourcespring_framework
springsourcespring_framework
springsourcespring_framework
springsourcespring_framework
springsourcespring_framework
springsourcespring_framework
springsourcespring_framework
springsourcespring_framework
vmwarespring_framework<= 3.2.3
vmwarespring_framework<= 3.2.7
vmwarespring_framework
vmwarespring_framework
vmwarespring_framework
vmwarespring_framework
vmwarespring_framework
vmwarespring_framework
vmwarespring_framework

CVSS provenance

nvd6.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
ghsa6.8MEDIUM
osv6.8MEDIUM