CVE-2013-6429

The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:pivotal_software:spring_framework:*:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:4.0.0:milestone1:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:4.0.0:milestone2:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:4.0.0:rc1:*:*:*:*:*:*

History

21 Nov 2024, 01:59

Type Values Removed Values Added
References () http://rhn.redhat.com/errata/RHSA-2014-0400.html - Third Party Advisory () http://rhn.redhat.com/errata/RHSA-2014-0400.html - Third Party Advisory
References () http://secunia.com/advisories/57915 - Third Party Advisory () http://secunia.com/advisories/57915 - Third Party Advisory
References () http://www.gopivotal.com/security/cve-2013-6429 - Third Party Advisory () http://www.gopivotal.com/security/cve-2013-6429 - Third Party Advisory
References () http://www.securityfocus.com/archive/1/530770/100/0/threaded - Third Party Advisory, VDB Entry () http://www.securityfocus.com/archive/1/530770/100/0/threaded - Third Party Advisory, VDB Entry
References () http://www.securityfocus.com/bid/64947 - Third Party Advisory, VDB Entry () http://www.securityfocus.com/bid/64947 - Third Party Advisory, VDB Entry
References () https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755 - Third Party Advisory () https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755 - Third Party Advisory
References () https://jira.springsource.org/browse/SPR-11078?page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel - Third Party Advisory, Vendor Advisory () https://jira.springsource.org/browse/SPR-11078?page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel - Third Party Advisory, Vendor Advisory

11 Apr 2022, 17:16

Type Values Removed Values Added
CPE cpe:2.3:a:pivotal_software:spring_framework:4.0.0:milestone1:*:*:*:*:*:*
cpe:2.3:a:pivotal_software:spring_framework:4.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:pivotal_software:spring_framework:4.0.0:milestone2:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:4.0.0:milestone1:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:4.0.0:milestone2:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:4.0.0:rc1:*:*:*:*:*:*

Information

Published : 2014-01-26 16:58

Updated : 2024-11-21 01:59


NVD link : CVE-2013-6429

Mitre link : CVE-2013-6429

CVE.ORG link : CVE-2013-6429


JSON object : View

Products Affected

vmware

  • spring_framework

pivotal_software

  • spring_framework
CWE
CWE-352

Cross-Site Request Forgery (CSRF)

CWE-611

Improper Restriction of XML External Entity Reference