CVE-2013-4152

Priority
Description
The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when
using the JAXB marshaller, does not disable entity resolution, which allows
context-dependent attackers to read arbitrary files, cause a denial of
service, and conduct CSRF attacks via an XML external entity declaration in
conjunction with an entity reference in a (1) DOMSource, (2) StAXSource,
(3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.
Notes
Package
Upstream:released (3.2.4, 4.0.0.RC1, 3.0.6.RELEASE-10)
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needed)
Ubuntu 14.04 ESM (Trusty Tahr):not-affected (3.0.6.RELEASE-10)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (3.0.6.RELEASE-10)
Patches:
Upstream:https://github.com/SpringSource/spring-framework/pull/317
Vendor:http://www.debian.org/security/2014/dsa-2842
More Information

Updated: 2020-09-10 02:44:36 UTC (commit 81a23a978c4436cd99e1d040e9e73e9146876281)