Permissions, Privileges, and Access Controls in Pivotal Spring Framework - CVE-2013-7315
Published: April 24, 2024
Vulnerability identifier: #VU88950
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2013-7315
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Pivotal Spring Framework
Pivotal Spring Framework
Software vendor:
Pivotal
Pivotal
Description
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to Spring MVC in Spring Framework does not disable external entity resolution for the StAX XMLInputFactory. A remote attacker can read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue.
Remediation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability..