Candidate: CVE-2013-7315
PublicDate: 2014-01-23 21:55:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7315
 https://jira.springsource.org/browse/SPR-10806
 http://www.gopivotal.com/security/cve-2013-4152
 http://www.debian.org/security/2014/dsa-2842
 http://seclists.org/fulldisclosure/2013/Nov/14
 http://seclists.org/bugtraq/2013/Aug/154
 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4152
Description:
 The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through
 4.0.0.M2 does not disable external entity resolution for the StAX
 XMLInputFactory, which allows context-dependent attackers to read arbitrary
 files, cause a denial of service, and conduct CSRF attacks via crafted XML
 with JAXB, aka an XML External Entity (XXE) issue, and a different
 vulnerability than CVE-2013-4152.  NOTE: this issue was SPLIT from
 CVE-2013-4152 due to different affected versions.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=720902
Priority: medium
Discovered-by:
Assigned-to:
CVSS: 

Patches_libspring-java:
upstream_libspring-java: released (3.0.6.RELEASE-10, 3.0.6.RELEASE-6+deb7u1)
lucid_libspring-java: DNE
precise_libspring-java: ignored (reached end-of-life)
precise/esm_libspring-java: DNE (precise was needed)
quantal_libspring-java: ignored (reached end-of-life)
raring_libspring-java: ignored (reached end-of-life)
saucy_libspring-java: ignored (reached end-of-life)
trusty_libspring-java: not-affected (3.0.6.RELEASE-13)
trusty/esm_libspring-java: not-affected (3.0.6.RELEASE-13)
utopic_libspring-java: ignored (reached end-of-life)
vivid_libspring-java: ignored (reached end-of-life)
vivid/stable-phone-overlay_libspring-java: DNE
vivid/ubuntu-core_libspring-java: DNE
wily_libspring-java: ignored (reached end-of-life)
xenial_libspring-java: not-affected (3.2.13-5)
yakkety_libspring-java: ignored (reached end-of-life)
zesty_libspring-java: ignored (reached end-of-life)
artful_libspring-java: ignored (reached end-of-life)
bionic_libspring-java: not-affected (4.3.14-1)
devel_libspring-java: not-affected (4.3.14-1)