The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.
CVE-2013-6429 - Medium Severity Vulnerability
Vulnerable Library - spring-web-3.2.4.RELEASE.jar
Spring Web
Library home page: https://github.com/SpringSource/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/3.2.4.RELEASE/spring-web-3.2.4.RELEASE.jar
Dependency Hierarchy: - spring-webmvc-3.2.4.RELEASE.jar (Root Library) - :x: **spring-web-3.2.4.RELEASE.jar** (Vulnerable Library)
Found in HEAD commit: c42e663814e4b88294ff90339ad577ca1afcf531
Found in base branch: master
Vulnerability Details
The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.
Publish Date: 2014-01-26
URL: CVE-2013-6429
CVSS 3 Score Details (5.3)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-6429
Release Date: 2014-01-26
Fix Resolution (org.springframework:spring-web): 3.2.5.RELEASE
Direct dependency fix Resolution (org.springframework:spring-webmvc): 3.2.5.RELEASE
Step up your Open Source Security Game with Mend here