Home > Vulnerability Database > CVE-2013-6429

Mend.io Vulnerability Database

CVE-2013-6429

Good to know:

Date: January 26, 2014

The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.

Language: Java

Severity Score

5.3

Related Resources (13)

Url: http://www.gopivotal.com/security/cve-2013-6429

Url: http://www.securityfocus.com/bid/64947

Url: https://github.com/spring-projects/spring-framework/commit/7387cb990e35b0f1b573faf29d4f9ae183d7a5e

Url: https://github.com/spring-projects/spring-framework/issues/15704

Url: https://jira.spring.io/browse/SPR-11078?redirect=false

Url: https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755

Url: http://secunia.com/advisories/57915

Url: https://nvd.nist.gov/vuln/detail/CVE-2013-6429

Url: http://www.securityfocus.com/archive/1/530770/100/0/threaded

Url: http://rhn.redhat.com/errata/RHSA-2014-0400.html

Url: https://github.com/spring-projects/spring-framework/commit/2ae6a6a3415eebc57babcb9d3e5505887eda6d8

Url: https://jira.springsource.org/browse/SPR-11078?page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel

Url: https://www.mend.io/vulnerability-database/CVE-2013-6429

Severity Score

5.3

Weakness Type (CWE)

Cross-Site Request Forgery (CSRF)

CWE-352

Improper Restriction of XML External Entity Reference ('XXE')

CWE-611

Top Fix

Upgrade Version

Upgrade to version 3.2.5

Learn More

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

CVSS v2

Base Score:	6.8
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2013-6429

Good to know:

Date: January 26, 2014

Language: Java

Severity Score

Related Resources (13)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?