CVE-2013-4152

N/A Unknown

Published: January 23, 2014 Modified: April 29, 2026

Description

The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

http://rhn.redhat.com/errata/RHSA-2014-0212.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2014-0245.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2014-0254.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2014-0400.html

Source: secalert@redhat.com

http://seclists.org/bugtraq/2013/Aug/154

Source: secalert@redhat.com

http://seclists.org/fulldisclosure/2013/Nov/14

Source: secalert@redhat.com

http://secunia.com/advisories/56247

Source: secalert@redhat.com

http://secunia.com/advisories/57915

Source: secalert@redhat.com

http://www.debian.org/security/2014/dsa-2842

Source: secalert@redhat.com

http://www.gopivotal.com/security/cve-2013-4152

Source: secalert@redhat.com

Vendor Advisory

http://www.securityfocus.com/bid/61951

Source: secalert@redhat.com

https://github.com/spring-projects/spring-framework/pull/317/files

Source: secalert@redhat.com

Patch

https://jira.springsource.org/browse/SPR-10806

Source: secalert@redhat.com

Exploit Patch

http://rhn.redhat.com/errata/RHSA-2014-0212.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://rhn.redhat.com/errata/RHSA-2014-0245.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://rhn.redhat.com/errata/RHSA-2014-0254.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://rhn.redhat.com/errata/RHSA-2014-0400.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://seclists.org/bugtraq/2013/Aug/154

Source: af854a3a-2127-422b-91ae-364da2661108

http://seclists.org/fulldisclosure/2013/Nov/14

Source: af854a3a-2127-422b-91ae-364da2661108

http://secunia.com/advisories/56247

Source: af854a3a-2127-422b-91ae-364da2661108

http://secunia.com/advisories/57915

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.debian.org/security/2014/dsa-2842

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.gopivotal.com/security/cve-2013-4152

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://www.securityfocus.com/bid/61951

Source: af854a3a-2127-422b-91ae-364da2661108

https://github.com/spring-projects/spring-framework/pull/317/files

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://jira.springsource.org/browse/SPR-10806

Source: af854a3a-2127-422b-91ae-364da2661108

Exploit Patch

26 reference(s) from NVD

Quick Stats

CVSS v3 Score

N/A / 10.0

EPSS (Exploit Probability)

72.3%

99th percentile

Exploitation Status

Not in CISA KEV

Weaknesses (CWE)

CWE-264

Affected Vendors

vmware springsource

Related CVEs

CVE-2026-41971 5.5

CVE-2026-41970 6.8

CVE-2026-41969 6.2

CVE-2026-41968 5.9

CVE-2026-41967 5.9