CVE-2013-6429
EPSS 38.7%libspring-java - several
發布日:2022/5/13修改日:2026/4/28
描述
The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.
受影響套件(3)
- Debian/libspring-javafrom 0, < 3.0.6.RELEASE-11
- Debian/libspring-javafrom 0, < 3.0.6.RELEASE-6+deb7u2
- Maven/org.springframework:spring-webfrom 0, < 3.2.5.RELEASE
參考連結(9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2013-6429
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2013-6429
- WEBhttp://rhn.redhat.com/errata/RHSA-2014-0400.html
- WEBhttp://secunia.com/advisories/57915
- WEBhttps://github.com/spring-projects/spring-framework/commit/2ae6a6a3415eebc57babcb9d3e5505887eda6d8
- WEBhttps://github.com/spring-projects/spring-framework/commit/7387cb990e35b0f1b573faf29d4f9ae183d7a5e
- WEBhttps://github.com/spring-projects/spring-framework/issues/15704
- WEBhttps://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755
- WEBhttps://jira.spring.io/browse/SPR-11078?redirect=false