CVE-2013-7315

Common vulnerabilities & exposures (CVE)

CVE database CVE database blogpost Release & EoL database

Published at: - 23-01-2014 10:55

Last modified: - 11-04-2022 07:36

Total changes: - 2

Description

The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.

Common Vulnerability Scoring System (CVSS)

AV:N/AC:M/Au:N/C:P/I:P/A:P

Low

Attack complexity

Network

Attack vector

Low

Availability

Low

Confidentiality

Low

Integrity

Privileges required

Scope

User interaction

6.8

Base score

8.6

6.4

Exploitability score

Impact score

Verification logic

vendor=vmware AND product=spring_framework AND version=3.1.4

vendor=vmware AND product=spring_framework AND version=3.1.3

vendor=vmware AND product=spring_framework AND version=4.0.0 AND update=milestone2

vendor=springsource AND product=spring_framework AND version=3.0.5

vendor=springsource AND product=spring_framework AND version=3.0.0 AND update=rc2

vendor=springsource AND product=spring_framework AND version=3.0.0 AND update=rc1

vendor=vmware AND product=spring_framework AND versionEndIncluding=3.2.3

vendor=vmware AND product=spring_framework AND version=3.2.2

vendor=vmware AND product=spring_framework AND version=3.1.0

vendor=vmware AND product=spring_framework AND version=3.0.7

vendor=springsource AND product=spring_framework AND version=3.0.2

vendor=springsource AND product=spring_framework AND version=3.0.1

vendor=springsource AND product=spring_framework AND version=3.0.0.m2

vendor=springsource AND product=spring_framework AND version=3.0.0 AND update=m2

vendor=springsource AND product=spring_framework AND version=3.0.0 AND update=m1

vendor=vmware AND product=spring_framework AND version=3.2.1

vendor=vmware AND product=spring_framework AND version=3.2.0

vendor=vmware AND product=spring_framework AND version=3.0.6

vendor=vmware AND product=spring_framework AND version=4.0.0 AND update=milestone1

vendor=springsource AND product=spring_framework AND version=3.0.0.m1

vendor=springsource AND product=spring_framework AND version=3.0.0 AND update=rc3

vendor=springsource AND product=spring_framework AND version=3.0.0

vendor=vmware AND product=spring_framework AND version=3.1.2

vendor=vmware AND product=spring_framework AND version=3.1.1

vendor=springsource AND product=spring_framework AND version=3.0.4

vendor=springsource AND product=spring_framework AND version=3.0.3

vendor=springsource AND product=spring_framework AND version=3.0.0 AND update=m4

vendor=springsource AND product=spring_framework AND version=3.0.0 AND update=m3

Reference

Keywords

CVE-2013-7315

Common vulnerabilities & exposures (CVE)

Description

Common Vulnerability Scoring System (CVSS)

Verification logic

Reference

NVD

CVE-2013-7315

CVE

Common vulnerabilities & exposures

CVSS

Common vulnerability scoring system

Security

Vulnerabilities

Exposures