VYPR
Moderate severityNVD Advisory· Published Jan 23, 2014· Updated Jun 16, 2026

CVE-2013-4152

CVE-2013-4152

Description

The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.springframework:spring-oxmMaven
< 3.2.4.RELEASE3.2.4.RELEASE

Affected products

28
  • cpe:2.3:a:springsource:spring_framework:3.0.0:*:*:*:*:*:*:*+ 14 more
    • cpe:2.3:a:springsource:spring_framework:3.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:springsource:spring_framework:3.0.0.m1:*:*:*:*:*:*:*
    • cpe:2.3:a:springsource:spring_framework:3.0.0:m1:*:*:*:*:*:*
    • cpe:2.3:a:springsource:spring_framework:3.0.0.m2:*:*:*:*:*:*:*
    • cpe:2.3:a:springsource:spring_framework:3.0.0:m2:*:*:*:*:*:*
    • cpe:2.3:a:springsource:spring_framework:3.0.0:m3:*:*:*:*:*:*
    • cpe:2.3:a:springsource:spring_framework:3.0.0:m4:*:*:*:*:*:*
    • cpe:2.3:a:springsource:spring_framework:3.0.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:springsource:spring_framework:3.0.0:rc2:*:*:*:*:*:*
    • cpe:2.3:a:springsource:spring_framework:3.0.0:rc3:*:*:*:*:*:*
    • cpe:2.3:a:springsource:spring_framework:3.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:springsource:spring_framework:3.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:springsource:spring_framework:3.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:springsource:spring_framework:3.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:springsource:spring_framework:3.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*+ 11 more
    • cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*range: <=3.2.3
    • cpe:2.3:a:vmware:spring_framework:3.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:vmware:spring_framework:3.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:vmware:spring_framework:3.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:vmware:spring_framework:3.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:vmware:spring_framework:3.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:vmware:spring_framework:3.1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:vmware:spring_framework:3.1.4:*:*:*:*:*:*:*
    • cpe:2.3:a:vmware:spring_framework:3.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:vmware:spring_framework:3.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:vmware:spring_framework:3.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:vmware:spring_framework:4.0.0:milestone1:*:*:*:*:*:*
  • ghsa-coords
    Range: < 3.2.4.RELEASE

Patches

Vulnerability mechanics

References

17

News mentions

0

No linked articles in our index yet.