ID CVE-2013-6429
Summary The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.
References
Vulnerable Configurations
  • cpe:2.3:a:vmware:spring_framework:4.0.0:milestone1:*:*:*:*:*:*
    cpe:2.3:a:vmware:spring_framework:4.0.0:milestone1:*:*:*:*:*:*
  • cpe:2.3:a:vmware:spring_framework:4.0.0:milestone2:*:*:*:*:*:*
    cpe:2.3:a:vmware:spring_framework:4.0.0:milestone2:*:*:*:*:*:*
  • cpe:2.3:a:vmware:spring_framework:4.0.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:vmware:spring_framework:4.0.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:3.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:3.0.0:-:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:3.0.0:-:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:3.0.0:milestone1:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:3.0.0:milestone1:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:3.0.0:milestone2:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:3.0.0:milestone2:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:3.0.0:milestone3:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:3.0.0:milestone3:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:3.0.0:milestone4:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:3.0.0:milestone4:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:3.0.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:3.0.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:3.0.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:3.0.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:3.0.0:rc3:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:3.0.0:rc3:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:3.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:3.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:3.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:3.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:3.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:3.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:3.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:3.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:3.0.5:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:3.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:3.0.6:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:3.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:3.0.7:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:3.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:3.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:3.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:3.1.0:-:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:3.1.0:-:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:3.1.0:milestone1:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:3.1.0:milestone1:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:3.1.0:milestone2:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:3.1.0:milestone2:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:3.1.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:3.1.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:3.1.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:3.1.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:3.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:3.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:3.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:3.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:3.1.3:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:3.1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:3.1.4:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:3.1.4:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:3.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:3.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:3.2.0:-:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:3.2.0:-:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:3.2.0:milestone1:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:3.2.0:milestone1:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:3.2.0:milestone2:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:3.2.0:milestone2:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:3.2.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:3.2.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:3.2.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:3.2.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:3.2.0:rc2-a:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:3.2.0:rc2-a:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:3.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:3.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:3.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:3.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:3.2.3:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:3.2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_framework:3.2.4:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_framework:3.2.4:*:*:*:*:*:*:*
CVSS
Base: 6.8 (as of 11-04-2022 - 17:16)
Impact:
Exploitability:
CWE CWE-611
CAPEC
  • XML External Entities Blowup
    This attack takes advantage of the entity replacement property of XML where the value of the replacement is a URI. A well-crafted XML document could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:P/A:P
redhat via4
advisories
rhsa
id RHSA-2014:0400
refmap via4
bid 64947
bugtraq 20140114 CVE-2013-6429 Fix for XML External Entity (XXE) injection (CVE-2013-4152) in Spring Framework was incomplete
confirm
secunia 57915
Last major update 11-04-2022 - 17:16
Published 26-01-2014 - 16:58
Last modified 11-04-2022 - 17:16
Back to Top