CVE-2013-7315

medium VMware
CVSS v3 Base Score
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
EPSS Score
0.2%
Exploitation probability in 30 days
Top 52% most likely to be exploited
Attack Characteristics
Attack Vector
Network
Attack Complexity
M
Confidentiality
P
Integrity
P
Availability
P
Published: January 23, 2014 (4494 days ago)
Last Modified: April 29, 2026
Vendor: VMware
Source: NVD

Description

The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.

CWE

CWE-264

Affected Products

springsource spring frameworkvmware spring framework

References

🔗 seclists.org 🔗 seclists.org 🔗 www.debian.org 🔗 www.gopivotal.com 🔗 www.securityfocus.com