medium
6.8
CWE
352 264
Advisory Published
Advisory Published
Updated

CVE-2013-4152: CSRF

First published: Thu Aug 22 2013(Updated: )

It was reported [1] that the Spring Framework suffered from several XML External Entity (XXE) flaws: Versions Affected: - 3.0.0 to 3.2.3 (Spring OXM) - 3.2.0 to 3.2.3 (Spring MVC) - 4.0.0.M1 (Spring OXM) - 4.0.0.M1-4.0.0.M2 (Spring MVC) - Earlier unsupported versions may also be affected Description: The Spring OXM wrapper did not expose any property for disabling entity resolution when using the JAXB unmarshaller. There are four possible source implementations passed to the unmarshaller: - DOMSource - StAXSource - SAXSource - StreamSource For a DOMSource, the XML has already been parsed by user code and that code is responsible for protecting against XXE. For a StAXSource, the XMLStreamReader has already been created by user code and that code is responsible for protecting against XXE. For SAXSource and StreamSource instances, Spring processed external entities by default thereby creating this vulnerability. The issue was resolved by disabling external entity processing by default and adding an option to enable it for those users that need to use this feature when processing XML from a trusted source. It was also identified that Spring MVC processed user provided XML with JAXB in combination with a StAX XMLInputFactory without disabling external entity resolution. External entity resolution has been disabled in this case. Mitigation: Users of affected versions should apply the following mitigation: - Users of 3.x should upgrade to 3.2.4 or later - Users of 4.x should upgrade to 4.0.0.RC1 or later once released Note the Spring OXM issue is fixed in 4.0.0.M2 [1] <a href="http://seclists.org/bugtraq/2013/Aug/154">http://seclists.org/bugtraq/2013/Aug/154</a> External References: <a href="http://www.gopivotal.com/security/cve-2013-4152">http://www.gopivotal.com/security/cve-2013-4152</a> <a href="https://github.com/SpringSource/spring-framework/pull/317">https://github.com/SpringSource/spring-framework/pull/317</a> <a href="https://jira.springsource.org/browse/SPR-10806">https://jira.springsource.org/browse/SPR-10806</a>

Credit: secalert@redhat.com secalert@redhat.com

Affected SoftwareAffected VersionHow to fix
redhat/activemq<0:5.9.0-4.redhat.610328.el6
0:5.9.0-4.redhat.610328.el6
redhat/Spring Framework<3.2.4
3.2.4
IBM Security Directory Suite VA<=8.0.1-8.0.1.19
SpringSource Spring Framework=3.0.0
SpringSource Spring Framework=3.0.0-m1
SpringSource Spring Framework=3.0.0-m2
SpringSource Spring Framework=3.0.0-m3
SpringSource Spring Framework=3.0.0-m4
SpringSource Spring Framework=3.0.0-rc1
SpringSource Spring Framework=3.0.0-rc2
SpringSource Spring Framework=3.0.0-rc3
SpringSource Spring Framework=3.0.0.m1
SpringSource Spring Framework=3.0.0.m2
SpringSource Spring Framework=3.0.1
SpringSource Spring Framework=3.0.2
SpringSource Spring Framework=3.0.3
SpringSource Spring Framework=3.0.4
SpringSource Spring Framework=3.0.5
VMware Spring Framework<=3.2.3
VMware Spring Framework=3.0.6
VMware Spring Framework=3.0.7
VMware Spring Framework=3.1.0
VMware Spring Framework=3.1.1
VMware Spring Framework=3.1.2
VMware Spring Framework=3.1.3
VMware Spring Framework=3.1.4
VMware Spring Framework=3.2.0
VMware Spring Framework=3.2.1
VMware Spring Framework=3.2.2
VMware Spring Framework=4.0.0-milestone1
maven/org.springframework:spring-oxm<=3.2.3.RELEASE
3.2.4.RELEASE

Remedy

https://github.com/spring-projects/spring-framework/pull/317/files

Remedy

https://jira.springsource.org/browse/SPR-10806

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

  • What is CVE-2013-4152?

    CVE-2013-4152 is a vulnerability in the Pivotal Spring Framework that allows a remote attacker to obtain sensitive information and conduct CSRF attacks.

  • What is the severity of CVE-2013-4152?

    The severity of CVE-2013-4152 is medium, with a CVSS score of 6.8.

  • How does CVE-2013-4152 work?

    CVE-2013-4152 works by exploiting the Spring OXM wrapper in Spring Framework before version 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, which does not disable entity resolution.

  • How can I fix CVE-2013-4152?

    To fix CVE-2013-4152, update to Spring Framework version 3.2.4 or later.

  • Where can I find more information about CVE-2013-4152?

    You can find more information about CVE-2013-4152 on the CVE website, NVD website, Pivotal's security advisory, and the GitHub and JIRA pages associated with the vulnerability.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203