CVE Database


Impact: Moderate
Public: 2013-08-22
Bugzilla: 1000186: CVE-2013-4152 Spring Framework: XML External Entity (XXE) injection flaw


The MITRE CVE dictionary describes this issue as:

The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.

Find out more about CVE-2013-4152 from the MITRE CVE dictionary and NIST NVD.

CVSS v2 metrics

Base Score: 5.0
Base Metrics: AV:N/AC:L/Au:N/C:P/I:N/A:N
Access Vector: Network
Access Complexity: Low
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: None
Availability Impact: None

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat security errata

Platform Errata Release Date
RHOSE Client 1.2 (activemq) RHSA-2014:0254 March 05, 2014
RHOSE Client 2.0 (activemq) RHSA-2014:0245 March 03, 2014
Red Hat JBoss A-MQ 6.1 RHSA-2014:0401 April 14, 2014
Red Hat JBoss Fuse 6.1 RHSA-2014:0400 April 14, 2014
Red Hat JBoss SOA Platform 5.3 RHSA-2014:0212 February 25, 2014

External References

This page is generated automatically and has not been checked for errors or omissions.

For clarification or corrections please contact the Red Hat Security Response Team.