CVE-2013-6429
Framework: XML External Entity (XXE) injection flaw
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.
El SourceHttpMessageConverter en Spring MVC en Spring Framework antes de 3.2.5 y 4.0.0.M1 hasta 4.0.0.RC1 no desactiva resolución entidad externa, lo que permite a atacantes remotos leer archivos arbitrarios, provocar una denegación de servicio, y llevar a cabo ataques CSRF a través de un XML manipulado, también conocido como un fallo de entidades externas XML (XXE) , una vulnerabilidad diferente a CVE-2013-4152 y CVE-2013-7315.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2013-11-04 CVE Reserved
- 2014-01-15 CVE Published
- 2023-09-08 EPSS Updated
- 2024-08-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-352: Cross-Site Request Forgery (CSRF)
- CWE-611: Improper Restriction of XML External Entity Reference
CAPEC
References (9)
URL | Tag | Source |
---|---|---|
http://secunia.com/advisories/57915 | Third Party Advisory | |
http://www.gopivotal.com/security/cve-2013-6429 | Third Party Advisory | |
http://www.securityfocus.com/archive/1/530770/100/0/threaded | Mailing List | |
http://www.securityfocus.com/bid/64947 | Third Party Advisory | |
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755 | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Pivotal Software Search vendor "Pivotal Software" | Spring Framework Search vendor "Pivotal Software" for product "Spring Framework" | >= 3.0.0 <= 3.2.4 Search vendor "Pivotal Software" for product "Spring Framework" and version " >= 3.0.0 <= 3.2.4" | - |
Affected
| ||||||
Vmware Search vendor "Vmware" | Spring Framework Search vendor "Vmware" for product "Spring Framework" | 4.0.0 Search vendor "Vmware" for product "Spring Framework" and version "4.0.0" | milestone1 |
Affected
| ||||||
Vmware Search vendor "Vmware" | Spring Framework Search vendor "Vmware" for product "Spring Framework" | 4.0.0 Search vendor "Vmware" for product "Spring Framework" and version "4.0.0" | milestone2 |
Affected
| ||||||
Vmware Search vendor "Vmware" | Spring Framework Search vendor "Vmware" for product "Spring Framework" | 4.0.0 Search vendor "Vmware" for product "Spring Framework" and version "4.0.0" | rc1 |
Affected
|