Cross-Site Request Forgery in Spring Framework

GHSA-g6hf-f9cq-q7w7 · CVE-2013-6429

Published May 13, 2022 · Modified Dec 4, 2024

Description

The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2013-6429
WEB https://github.com/spring-projects/spring-framework/issues/15704
WEB https://github.com/spring-projects/spring-framework/commit/2ae6a6a3415eebc57babcb9d3e5505887eda6d8
WEB https://github.com/spring-projects/spring-framework/commit/7387cb990e35b0f1b573faf29d4f9ae183d7a5e
WEB https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755
WEB https://jira.spring.io/browse/SPR-11078?redirect=false
WEB http://rhn.redhat.com/errata/RHSA-2014-0400.html
WEB http://secunia.com/advisories/57915

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes