Moderate severityNVD Advisory· Published Jan 23, 2014· Updated Apr 29, 2026
CVE-2013-4152
CVE-2013-4152
Description
The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework:spring-oxmMaven | < 3.2.4.RELEASE | 3.2.4.RELEASE |
Affected products
27cpe:2.3:a:springsource:spring_framework:3.0.0:*:*:*:*:*:*:*+ 14 more
- cpe:2.3:a:springsource:spring_framework:3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.0.m1:*:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.0:m1:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.0.m2:*:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.0:m2:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.0:m3:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.0:m4:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.5:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*+ 11 more
- cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*range: <=3.2.3
- cpe:2.3:a:vmware:spring_framework:3.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:4.0.0:milestone1:*:*:*:*:*:*
Patches
27576274874deFix potential security risk when using Spring OXM
1 file changed · +3 −1
spring-web/src/main/java/org/springframework/http/converter/xml/Jaxb2CollectionHttpMessageConverter.java+3 −1 modified@@ -226,7 +226,9 @@ protected void writeToResult(T t, HttpHeaders headers, Result result) throws IOE * @return the created factory */ protected XMLInputFactory createXmlInputFactory() { - return XMLInputFactory.newInstance(); + XMLInputFactory inputFactory = XMLInputFactory.newInstance(); + inputFactory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, false); + return inputFactory; } }
434735fbf6e7Fix potential security risk when using Spring OXM
1 file changed · +3 −1
spring-web/src/main/java/org/springframework/http/converter/xml/Jaxb2CollectionHttpMessageConverter.java+3 −1 modified@@ -224,7 +224,9 @@ protected void writeToResult(T t, HttpHeaders headers, Result result) throws IOE * @return the created factory */ protected XMLInputFactory createXmlInputFactory() { - return XMLInputFactory.newInstance(); + XMLInputFactory inputFactory = XMLInputFactory.newInstance(); + inputFactory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, false); + return inputFactory; } }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
17- github.com/spring-projects/spring-framework/pull/317/filesnvdPatchWEB
- jira.springsource.org/browse/SPR-10806nvdExploitPatch
- www.gopivotal.com/security/cve-2013-4152nvdVendor AdvisoryWEB
- github.com/advisories/GHSA-rp4p-g69r-438xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2013-4152ghsaADVISORY
- rhn.redhat.com/errata/RHSA-2014-0212.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2014-0245.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2014-0254.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2014-0400.htmlnvdWEB
- seclists.org/bugtraq/2013/Aug/154nvdWEB
- seclists.org/fulldisclosure/2013/Nov/14nvdWEB
- www.debian.org/security/2014/dsa-2842nvdWEB
- github.com/spring-projects/spring-framework/commit/434735fbf6e7f9051af2ef027657edb99120b173ghsaWEB
- github.com/spring-projects/spring-framework/commit/7576274874deeccb6da6b09a8d5bd62e8b5538b7ghsaWEB
- secunia.com/advisories/56247nvd
- secunia.com/advisories/57915nvd
- www.securityfocus.com/bid/61951nvd
News mentions
0No linked articles in our index yet.