Missing XML Validation in Spring Framework

Description

The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Source code
Not specified
Published (advisory)
2022-05-13 01:02:38 UTC
Updated
2024-02-27 23:11:43 UTC
GitHub reviewed
2022-07-07 23:18:12 UTC
NVD published
2014-01-23

EPSS Score

Score Percentile
0.24% 47.52%

CVSS Scores

No CVSS scores in this advisory.

Identifiers

CWEs

CWE id Name
CWE-112 Missing XML Validation

Credits

  • sunSUNQ (analyst)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
maven org.springframework:spring-oxm <= 3.2.3.RELEASE 3.2.4.RELEASE

References

cvelogic Threat Intelligence