CVE-2013-6429: CSRF
First published: Tue Jan 14 2014(Updated: )
It was found that the Spring MVC SourceHttpMessageConverter processed user-provided XML, and did not expose any property for disabling entity resolution in the XML. A remote attacker could use this flaw to conduct XML External Entity (XXE) attacks on web sites, and read files in the context of the user running the application server. The patch for this flaw disables external entity processing by default, and provides a configuration directive to re-enable it. This flaw is considered to be the result of an incomplete fix for <a href="https://access.redhat.com/security/cve/CVE-2013-4152">CVE-2013-4152</a>.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| IBM Security Directory Suite VA | <=8.0.1-8.0.1.19 | |
| Pivotal Software Spring Framework | >=3.0.0<=3.2.4 | |
| VMware Spring Framework | =4.0.0-milestone1 | |
| VMware Spring Framework | =4.0.0-milestone2 | |
| VMware Spring Framework | =4.0.0-rc1 | |
| maven/org.springframework:spring-web | <=3.2.4.RELEASE | 3.2.5.RELEASE |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/security/cve/CVE-2013-4152
- https://github.com/spring-projects/spring-framework/commit/2ae6a6a3415eebc57babcb9d3e5505887eda6d8a
- http://www.gopivotal.com/security/cve-2013-6429
- https://rhn.redhat.com/errata/RHSA-2014-0401.html
- https://rhn.redhat.com/errata/RHSA-2014-0400.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1053290
- https://www.cve.org/CVERecord?id=CVE-2013-6429 https://nvd.nist.gov/vuln/detail/CVE-2013-6429 http://www.gopivotal.com/security/cve-2013-6429
- https://access.redhat.com/errata/RHSA-2014:0401
- https://access.redhat.com/errata/RHSA-2014:0400
- https://access.redhat.com/security/cve/CVE-2013-6429
- https://exchange.xforce.ibmcloud.com/vulnerabilities/90451
- https://www.ibm.com/support/pages/node/7001693 (Advisory)
- http://rhn.redhat.com/errata/RHSA-2014-0400.html
- http://secunia.com/advisories/57915
- http://www.securityfocus.com/archive/1/530770/100/0/threaded
- http://www.securityfocus.com/bid/64947
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755
- https://jira.springsource.org/browse/SPR-11078?page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel
- https://nvd.nist.gov/vuln/detail/CVE-2013-6429
- https://github.com/spring-projects/spring-framework/issues/15704
- https://jira.spring.io/browse/SPR-11078?redirect=false
- https://github.com/spring-projects/spring-framework/commit/2ae6a6a3415eebc57babcb9d3e5505887eda6d8
- https://github.com/spring-projects/spring-framework/commit/7387cb990e35b0f1b573faf29d4f9ae183d7a5e
- https://github.com/advisories/GHSA-g6hf-f9cq-q7w7 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2013-6429?
The severity of CVE-2013-6429 is medium with a score of 6.8.
How does CVE-2013-6429 impact Spring Framework?
CVE-2013-6429 allows remote attackers to read arbitrary files, cause denial of service, and conduct CSRF attacks via crafted XML.
Which versions of Spring Framework are affected by CVE-2013-6429?
Spring Framework versions before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 are affected by CVE-2013-6429.
Is there a fix available for CVE-2013-6429?
Yes, updating to Spring Framework version 3.2.5 or newer, or version 4.0.0.RC2 or newer, will fix CVE-2013-6429.
Where can I find more information about CVE-2013-6429?
You can find more information about CVE-2013-6429 on the Red Hat Security website, the Spring Framework GitHub repository, and the Pivotal website.
- collector/redhat-bugzilla
- alias/CVE-2013-6429
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/weakness
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-g6hf-f9cq-q7w7
- agent/software-canonical-lookup
- agent/severity
- agent/references
- agent/softwarecombine
- agent/description
- collector/nvd-cve
- source/NVD
- agent/author
- collector/github-advisory
- collector/ibm-support
- source/IBM
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/event
- agent/trending
- vendor/pivotal software
- canonical/pivotal software spring framework
- version/pivotal software spring framework/3.0.0
- version/pivotal software spring framework/3.2.4
- vendor/vmware
- canonical/vmware spring framework
- version/vmware spring framework/4.0.0-milestone1
- version/vmware spring framework/4.0.0-milestone2
- version/vmware spring framework/4.0.0-rc1
- package-manager/maven
- vendor/ibm
- canonical/ibm security directory suite va
- version/ibm security directory suite va/8.0.1-8.0.1.19