CVE-2013-7315 — Missing XML Validation in Spring Framework

Description

The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.

How to fix CVE-2013-7315

To remediate CVE-2013-7315, upgrade the affected package to a fixed version below.

—upgrade to 3.0.6.RELEASE-10 or later
—upgrade to 3.2.4.RELEASE or later

Is CVE-2013-7315 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 3.0.6.RELEASE-10
from 0, < 3.2.4.RELEASE

References (10)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-7315
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2013-7315
WEBseclists.org/bugtraq/2013/Aug/154
WEBseclists.org/fulldisclosure/2013/Nov/14
WEB