CVE-2013-7315Missing XML Validation in Vmware Spring Framework

CWE-112Missing XML ValidationCWE-352Cross-Site Request ForgeryCWE-611XML External Entity (XXE) Injection12 documents7 sources
Severity
6.8MEDIUMNVD
EPSS
0.2%
top 52.32%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Vmware Spring FrameworkSpringsource Spring Framework
Timeline
PublishedJan 23
Latest updateMay 13

Description

The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages2 packages

Patches

Patch: jira.springsource.orgPatch: jira.springsource.org

🔴Vulnerability Details

6
OSV
Missing XML Validation in Spring Framework2022-05-13
GHSA
Missing XML Validation in Spring Framework2022-05-13
GHSA
Cross-Site Request Forgery in Spring Framework2022-05-13
GHSA
Cross-Site Request Forgery in Spring Framework2022-05-13
CVEList
CVE-2013-7315: The Spring MVC in Spring Framework before 32014-01-23

📋Vendor Advisories

3
Red Hat
Framework: incomplete fix for CVE-2013-7315/CVE-2013-64292014-01-31
Red Hat
Framework: XML External Entity (XXE) injection flaw2014-01-14
Debian
CVE-2013-7315: libspring-java - The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 do...2013

💬Community

2
Bugzilla
CVE-2014-0054 Spring Framework: incomplete fix for CVE-2013-7315/CVE-2013-64292014-03-12
Bugzilla
CVE-2013-7315 Spring Framework: XML External Entity (XXE) injection flaw2014-02-05
CVE-2013-7315 — Missing XML Validation in Vmware | cvebase