CVE-2013-6429 — MEDIUM (6.8)

Q: How severe is CVE-2013-6429?

CVE-2013-6429 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2013-6429?

Check the references section above for vendor advisories and patch information. Affected products include: Pivotal Software Spring Framework, Vmware Spring Framework.

Vulnerability Description

The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.

CVSS Score

6.8

MEDIUM

AV:N/AC:M/Au:N/C:P/I:P/A:P

Confidentiality

PARTIAL

Integrity

PARTIAL

Availability

PARTIAL

Affected Products

Vendor	Product	Versions
Pivotal Software	Spring Framework	>= 3.0.0, <= 3.2.4
Vmware	Spring Framework	4.0.0

Related Weaknesses (CWE)

CWE-611 CWE-352

References

http://rhn.redhat.com/errata/RHSA-2014-0400.htmlThird Party Advisory
http://secunia.com/advisories/57915Third Party Advisory
http://www.gopivotal.com/security/cve-2013-6429Third Party Advisory
http://www.securityfocus.com/archive/1/530770/100/0/threadedThird Party AdvisoryVDB Entry
http://www.securityfocus.com/bid/64947Third Party AdvisoryVDB Entry
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-cThird Party Advisory
https://jira.springsource.org/browse/SPR-11078?page=com.atlassian.jira.plugin.syThird Party AdvisoryVendor Advisory
http://rhn.redhat.com/errata/RHSA-2014-0400.htmlThird Party Advisory
http://secunia.com/advisories/57915Third Party Advisory
http://www.gopivotal.com/security/cve-2013-6429Third Party Advisory
http://www.securityfocus.com/archive/1/530770/100/0/threadedThird Party AdvisoryVDB Entry
http://www.securityfocus.com/bid/64947Third Party AdvisoryVDB Entry
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-cThird Party Advisory
https://jira.springsource.org/browse/SPR-11078?page=com.atlassian.jira.plugin.syThird Party AdvisoryVendor Advisory

FAQ

What is CVE-2013-6429?

CVE-2013-6429 is a vulnerability with a CVSS score of 6.8 (MEDIUM). The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrar...

How severe is CVE-2013-6429?

CVE-2013-6429 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2013-6429?

Check the references section above for vendor advisories and patch information. Affected products include: Pivotal Software Spring Framework, Vmware Spring Framework.