Vulnerability Details : CVE-2013-7315
The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.
Vulnerability category: Cross-site request forgery (CSRF)XML external entity (XXE) injectionDenial of service
Exploit prediction scoring system (EPSS) score for CVE-2013-7315
Probability of exploitation activity in the next 30 days: 0.56%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 75 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2013-7315
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST |
CWE ids for CVE-2013-7315
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-7315
-
http://www.securityfocus.com/bid/77998
Spring Framework CVE-2013-7315 Denial-Of-Service Vulnerability
-
http://www.gopivotal.com/security/cve-2013-4152
CVE-2013-4152 XML eXternal Entity (XXE) injection in Spring Framework | Security | PivotalVendor Advisory
-
http://seclists.org/fulldisclosure/2013/Nov/14
Full Disclosure: XXE Injection in Spring Framework
-
http://seclists.org/bugtraq/2013/Aug/154
Bugtraq: CVE-2013-4152 XML External Entity (XXE) injection in Spring Framework
-
https://jira.springsource.org/browse/SPR-10806
Fix potential security risk when using Spring OXM [SPR-10806] · Issue #15432 · spring-projects/spring-framework · GitHubExploit;Patch
-
http://www.debian.org/security/2014/dsa-2842
Debian -- Security Information -- DSA-2842-1 libspring-java
Products affected by CVE-2013-7315
- cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:4.0.0:milestone2:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:4.0.0:milestone1:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.0:m1:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.0:m2:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.0.m2:*:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.0.m1:*:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.0:m4:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.0:m3:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.0:rc2:*:*:*:*:*:*