Moderate severityNVD Advisory· Published Jan 23, 2014· Updated Apr 29, 2026
CVE-2013-7315
CVE-2013-7315
Description
The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework:spring-oxmMaven | < 3.2.4.RELEASE | 3.2.4.RELEASE |
Affected products
28cpe:2.3:a:springsource:spring_framework:3.0.0:*:*:*:*:*:*:*+ 14 more
- cpe:2.3:a:springsource:spring_framework:3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.0.m1:*:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.0:m1:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.0.m2:*:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.0:m2:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.0:m3:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.0:m4:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:springsource:spring_framework:3.0.5:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*+ 12 more
- cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*range: <=3.2.3
- cpe:2.3:a:vmware:spring_framework:3.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:3.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:4.0.0:milestone1:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:4.0.0:milestone2:*:*:*:*:*:*
Patches
2434735fbf6e7Fix potential security risk when using Spring OXM
1 file changed · +3 −1
spring-web/src/main/java/org/springframework/http/converter/xml/Jaxb2CollectionHttpMessageConverter.java+3 −1 modified@@ -224,7 +224,9 @@ protected void writeToResult(T t, HttpHeaders headers, Result result) throws IOE * @return the created factory */ protected XMLInputFactory createXmlInputFactory() { - return XMLInputFactory.newInstance(); + XMLInputFactory inputFactory = XMLInputFactory.newInstance(); + inputFactory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, false); + return inputFactory; } }
7576274874deFix potential security risk when using Spring OXM
1 file changed · +3 −1
spring-web/src/main/java/org/springframework/http/converter/xml/Jaxb2CollectionHttpMessageConverter.java+3 −1 modified@@ -226,7 +226,9 @@ protected void writeToResult(T t, HttpHeaders headers, Result result) throws IOE * @return the created factory */ protected XMLInputFactory createXmlInputFactory() { - return XMLInputFactory.newInstance(); + XMLInputFactory inputFactory = XMLInputFactory.newInstance(); + inputFactory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, false); + return inputFactory; } }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
12- jira.springsource.org/browse/SPR-10806nvdExploitPatch
- www.gopivotal.com/security/cve-2013-4152nvdVendor Advisory
- github.com/advisories/GHSA-vp63-rrcm-9mphghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2013-7315ghsaADVISORY
- seclists.org/bugtraq/2013/Aug/154nvdWEB
- seclists.org/fulldisclosure/2013/Nov/14nvdWEB
- www.debian.org/security/2014/dsa-2842nvdWEB
- www.securityfocus.com/bid/77998nvdWEB
- github.com/spring-projects/spring-framework/commit/434735fbf6e7f9051af2ef027657edb99120b173ghsaWEB
- github.com/spring-projects/spring-framework/commit/7576274874deeccb6da6b09a8d5bd62e8b5538b7ghsaWEB
- github.com/spring-projects/spring-framework/issues/15432ghsaWEB
- jira.spring.io/browse/SPR-10806ghsaWEB
News mentions
0No linked articles in our index yet.