CVE-2013-4152 — MEDIUM (6.8)

Q: How severe is CVE-2013-4152?

CVE-2013-4152 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2013-4152?

Check the references section above for vendor advisories and patch information. Affected products include: Springsource Spring Framework, Vmware Spring Framework.

Vulnerability Description

The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.

CVSS Score

6.8

MEDIUM

AV:N/AC:M/Au:N/C:P/I:P/A:P

Confidentiality

PARTIAL

Integrity

PARTIAL

Availability

PARTIAL

Affected Products

Vendor	Product	Versions
Springsource	Spring Framework	3.0.0
Vmware	Spring Framework	<= 3.2.3

Related Weaknesses (CWE)

CWE-264

References

FAQ

What is CVE-2013-4152?

CVE-2013-4152 is a vulnerability with a CVSS score of 6.8 (MEDIUM). The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary fil...

How severe is CVE-2013-4152?

CVE-2013-4152 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2013-4152?

Check the references section above for vendor advisories and patch information. Affected products include: Springsource Spring Framework, Vmware Spring Framework.