CVE-2013-7315: CSRF
First published: Thu Jan 23 2014(Updated: )
It was found that Spring MVC processed user-provided XML with JAXB, in combination with a StAX XMLInputFactory, without disabling external entity resolution. A remote attacker could use this flaw to conduct XML External Entity (XXE) attacks on web sites, and read files in the context of the user running the application server. This flaw affects Spring Framework 3.2.x before 3.2.4 and 4.0.0.M1 through 4.0.0.M2.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/Spring Framework | <3.2.4 | 3.2.4 |
| IBM Security Directory Suite VA | <=8.0.1-8.0.1.19 | |
| SpringSource Spring Framework | =3.0.0 | |
| SpringSource Spring Framework | =3.0.0-m1 | |
| SpringSource Spring Framework | =3.0.0-m2 | |
| SpringSource Spring Framework | =3.0.0-m3 | |
| SpringSource Spring Framework | =3.0.0-m4 | |
| SpringSource Spring Framework | =3.0.0-rc1 | |
| SpringSource Spring Framework | =3.0.0-rc2 | |
| SpringSource Spring Framework | =3.0.0-rc3 | |
| SpringSource Spring Framework | =3.0.0.m1 | |
| SpringSource Spring Framework | =3.0.0.m2 | |
| SpringSource Spring Framework | =3.0.1 | |
| SpringSource Spring Framework | =3.0.2 | |
| SpringSource Spring Framework | =3.0.3 | |
| SpringSource Spring Framework | =3.0.4 | |
| SpringSource Spring Framework | =3.0.5 | |
| VMware Spring Framework | <=3.2.3 | |
| VMware Spring Framework | =3.0.6 | |
| VMware Spring Framework | =3.0.7 | |
| VMware Spring Framework | =3.1.0 | |
| VMware Spring Framework | =3.1.1 | |
| VMware Spring Framework | =3.1.2 | |
| VMware Spring Framework | =3.1.3 | |
| VMware Spring Framework | =3.1.4 | |
| VMware Spring Framework | =3.2.0 | |
| VMware Spring Framework | =3.2.1 | |
| VMware Spring Framework | =3.2.2 | |
| VMware Spring Framework | =4.0.0-milestone1 | |
| VMware Spring Framework | =4.0.0-milestone2 | |
| maven/org.springframework:spring-oxm | <=3.2.3.RELEASE | 3.2.4.RELEASE |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2013-7315 https://nvd.nist.gov/vuln/detail/CVE-2013-7315
- https://bugzilla.redhat.com/show_bug.cgi?id=1061509
- https://access.redhat.com/security/cve/CVE-2013-7315
- https://jira.springsource.org/secure/attachment/21319/Jaxb2CollectionHttpMessageConverter.patch
- https://exchange.xforce.ibmcloud.com/vulnerabilities/95219
- https://www.ibm.com/support/pages/node/7001693 (Advisory)
- http://seclists.org/bugtraq/2013/Aug/154
- http://seclists.org/fulldisclosure/2013/Nov/14
- http://www.debian.org/security/2014/dsa-2842
- http://www.gopivotal.com/security/cve-2013-4152
- http://www.securityfocus.com/bid/77998
- https://jira.springsource.org/browse/SPR-10806
- https://nvd.nist.gov/vuln/detail/CVE-2013-7315
- https://github.com/spring-projects/spring-framework/issues/15432
- https://jira.spring.io/browse/SPR-10806?redirect=false
- https://github.com/spring-projects/spring-framework/commit/434735fbf6e7f9051af2ef027657edb99120b173
- https://github.com/spring-projects/spring-framework/commit/7576274874deeccb6da6b09a8d5bd62e8b5538b7
- https://github.com/advisories/GHSA-vp63-rrcm-9mph (Advisory)
Frequently Asked Questions
What is CVE-2013-7315?
CVE-2013-7315 is a vulnerability in the Spring Framework that allows remote attackers to obtain sensitive information and conduct CSRF attacks.
What is the severity of CVE-2013-7315?
The severity of CVE-2013-7315 is medium with a CVSS score of 6.8.
How does CVE-2013-7315 affect the Spring Framework?
CVE-2013-7315 affects Spring MVC in Spring Framework versions before 3.2.4 and 4.0.0.M1 through 4.0.0.M2.
What is the impact of CVE-2013-7315?
The impact of CVE-2013-7315 includes reading arbitrary files, causing a denial of service, and conducting CSRF attacks.
How can I fix CVE-2013-7315?
To fix CVE-2013-7315, update your Spring Framework to version 3.2.4 or apply the recommended remedy from Red Hat.
- collector/redhat-cve
- collector/redhat-bugzilla
- alias/CVE-2013-7315
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-vp63-rrcm-9mph
- agent/software-canonical-lookup
- agent/weakness
- agent/references
- agent/last-modified-date
- agent/severity
- agent/remedy
- agent/description
- agent/softwarecombine
- agent/event
- collector/nvd-cve
- source/NVD
- agent/author
- collector/github-advisory
- agent/tags
- collector/ibm-support
- source/IBM
- package-manager/redhat
- vendor/springsource
- canonical/springsource spring framework
- version/springsource spring framework/3.0.0
- version/springsource spring framework/3.0.0-m1
- version/springsource spring framework/3.0.0-m2
- version/springsource spring framework/3.0.0-m3
- version/springsource spring framework/3.0.0-m4
- version/springsource spring framework/3.0.0-rc1
- version/springsource spring framework/3.0.0-rc2
- version/springsource spring framework/3.0.0-rc3
- version/springsource spring framework/3.0.0.m1
- version/springsource spring framework/3.0.0.m2
- version/springsource spring framework/3.0.1
- version/springsource spring framework/3.0.2
- version/springsource spring framework/3.0.3
- version/springsource spring framework/3.0.4
- version/springsource spring framework/3.0.5
- vendor/vmware
- canonical/vmware spring framework
- version/vmware spring framework/3.2.3
- version/vmware spring framework/3.0.6
- version/vmware spring framework/3.0.7
- version/vmware spring framework/3.1.0
- version/vmware spring framework/3.1.1
- version/vmware spring framework/3.1.2
- version/vmware spring framework/3.1.3
- version/vmware spring framework/3.1.4
- version/vmware spring framework/3.2.0
- version/vmware spring framework/3.2.1
- version/vmware spring framework/3.2.2
- version/vmware spring framework/4.0.0-milestone1
- version/vmware spring framework/4.0.0-milestone2
- package-manager/maven
- vendor/ibm
- canonical/ibm security directory suite va
- version/ibm security directory suite va/8.0.1-8.0.1.19