CVE-2013-4152 Information

Feb 14, 2021 cve

Description

The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1 when using the JAXB marshaller does not disable entity resolution which allows context-dependent attackers to read arbitrary files cause a denial of service and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource (2) StAXSource (3) SAXSource or (4) StreamSource aka an XML External Entity (XXE) issue.

Reference

http://rhn.redhat.com/errata/RHSA-2014-0212.html http://rhn.redhat.com/errata/RHSA-2014-0245.html http://rhn.redhat.com/errata/RHSA-2014-0254.html http://rhn.redhat.com/errata/RHSA-2014-0400.html http://seclists.org/bugtraq/2013/Aug/154 http://seclists.org/fulldisclosure/2013/Nov/14 http://secunia.com/advisories/56247 http://secunia.com/advisories/57915 http://www.debian.org/security/2014/dsa-2842 http://www.gopivotal.com/security/cve-2013-4152 http://www.securityfocus.com/bid/61951 https://github.com/spring-projects/spring-framework/pull/317/files https://jira.springsource.org/browse/SPR-10806

Share on: