CVE-2013-4152 — libspring-java - several

Description

The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.

How to fix CVE-2013-4152

To remediate CVE-2013-4152, upgrade the affected package to a fixed version below.

Debian/libspring-java—upgrade to 3.0.6.RELEASE-10 or later
—upgrade to 3.0.6.RELEASE-6+deb7u1 or later
—upgrade to 3.2.4.RELEASE or later

Is CVE-2013-4152 being exploited?

Likely — EPSS is 50.4%, placing CVE-2013-4152 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (3)

from 0, < 3.0.6.RELEASE-10
from 0, < 3.0.6.RELEASE-6+deb7u1
from 0, < 3.2.4.RELEASE

References (13)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-4152
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2013-4152
WEBrhn.redhat.com/errata/RHSA-2014-0212.html
WEBrhn.redhat.com/errata/RHSA-2014-0245.html
WEB