CVE-2013-6429
Spring Framework < 3.2.5 - XML External Entity Injection and Cross-Site Request Forgery via Unsafe XML Parsing
Title source: llmDescription
The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.
References (7)
Core 7
Core References
Third Party Advisory, Vendor Advisory x_refsource_confirm
https://jira.springsource.org/browse/SPR-11078?page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/530770/100/0/threaded
Third Party Advisory x_refsource_confirm
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755
Third Party Advisory x_refsource_confirm
http://www.gopivotal.com/security/cve-2013-6429
Third Party Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2014-0400.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/64947
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/57915
Scores
EPSS
0.3872
EPSS Percentile
97.3%
Details
CWE
CWE-352
CWE-611
Status
published
Products (3)
org.springframework/spring-web
0 - 3.2.5.RELEASEMaven
pivotal_software/spring_framework
3.0.0 - 3.2.4
vmware/spring_framework
4.0.0 milestone1 (3 CPE variants)
Published
Jan 26, 2014
Tracked Since
Feb 18, 2026