Vulnerability Name:

CVE-2013-7315 (CCN-95219)

Assigned:2013-08-22
Published:2013-08-22
Updated:2022-04-11
Summary:The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152.
Note: this issue was SPLIT from CVE-2013-4152 due to different affected versions.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.0 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-264
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2013-7315

Source: BUGTRAQ
Type: UNKNOWN
20130822 CVE-2013-4152 XML External Entity (XXE) injection in Spring Framework

Source: FULLDISC
Type: UNKNOWN
20131102 XXE Injection in Spring Framework

Source: DEBIAN
Type: UNKNOWN
DSA-2842

Source: CONFIRM
Type: Vendor Advisory
http://www.gopivotal.com/security/cve-2013-4152

Source: CCN
Type: IBM Security Bulletin 1989676 (WebSphere Portal)
Security Vulnerabilities in Spring Framework affect IBM WebSphere Portal

Source: CCN
Type: IBM Security Bulletin 1992651 (Tivoli Netcool Configuration Manager)
Vulnerabilities in OpenSource Spring Source/Pivotal Spring Framework affect IBM Tivoli Netcool Configuration Manager (ITNCM) (CVE-2013-7315, CVE-2013-4152, CVE-2014-0054)

Source: CCN
Type: IBM Security Bulletin 1997874 (Security Guardium)
OpenSource Spring Source/Pivotal Spring Framework Vulnerabilities affect IBM Security Guardium (CVE-2013-7315, CVE-2013-4152, CVE-2014-0054)

Source: CCN
Type: IBM Security Bulletin 1999040 (Tivoli Application Dependency Discovery Manager)
Pivotal Spring Framework vulnerabilities affect IBM Tivoli Application Dependency Discovery Manager (TADDM)

Source: CCN
Type: IBM Security Bulletin 1999395 (Security QRadar SIEM)
Pivotal Spring Framework as used in IBM QRadar SIEM is vulnerable to various CVE's

Source: CCN
Type: IBM Security Bulletin 2013753 (Security Guardium Big Data Intelligence)
IBM Security Guardium Big Data Intelligence (SonarG) is vulnerable to using Components with Known Vulnerabilities

Source: BID
Type: UNKNOWN
77998

Source: XF
Type: UNKNOWN
springmvc-cve20137315-info-disc(95219)

Source: CCN
Type: SpringSource Security Advisory SPR-10806
Fix potential security risk when using Spring OXM

Source: CONFIRM
Type: Exploit, Patch
https://jira.springsource.org/browse/SPR-10806

Source: CCN
Type: Pivotal Web site
Spring Framework

Source: CCN
Type: IBM Security Bulletin 0872142 (Security Identity Governance and Intelligence)
IBM has announced a release for IBM Security Identity Governance and Intelligence in response to multiple security vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6396112 (Sterling B2B Integrator)
Multiple Security Vulnerabilities in Spring Framework Affect IBM Sterling B2B Integrator

Source: CCN
Type: IBM Security Bulletin 6857863 (MobileFirst Platform Foundation)
Multiple vulnerabilities found on thirdparty libraries used by IBM MobileFirst Platform

Source: CCN
Type: IBM Security Bulletin 6955033 (Security Directory Integrator)
IBM Security Directory Integrator is affected by multiple security vulnerabilities

Source: CCN
Type: IBM Security Bulletin 7001693 (Security Directory Suite VA)
IBM Security Directory Suite is vulnerable to multiple issues

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2013-7315

Vulnerable Configuration:Configuration 1:
  • cpe:/a:vmware:spring_framework:3.1.4:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:3.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:4.0.0:milestone2:*:*:*:*:*:*
  • OR cpe:/a:springsource:spring_framework:3.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:springsource:spring_framework:3.0.0:rc2:*:*:*:*:*:*
  • OR cpe:/a:springsource:spring_framework:3.0.0:rc1:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:*:*:*:*:*:*:*:* (Version <= 3.2.3)
  • OR cpe:/a:vmware:spring_framework:3.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:3.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:3.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:springsource:spring_framework:3.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:springsource:spring_framework:3.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:springsource:spring_framework:3.0.0.m2:*:*:*:*:*:*:*
  • OR cpe:/a:springsource:spring_framework:3.0.0:m2:*:*:*:*:*:*
  • OR cpe:/a:springsource:spring_framework:3.0.0:m1:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:3.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:3.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:3.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:4.0.0:milestone1:*:*:*:*:*:*
  • OR cpe:/a:springsource:spring_framework:3.0.0.m1:*:*:*:*:*:*:*
  • OR cpe:/a:springsource:spring_framework:3.0.0:rc3:*:*:*:*:*:*
  • OR cpe:/a:springsource:spring_framework:3.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:3.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:vmware:spring_framework:3.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:springsource:spring_framework:3.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:springsource:spring_framework:3.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:springsource:spring_framework:3.0.0:m4:*:*:*:*:*:*
  • OR cpe:/a:springsource:spring_framework:3.0.0:m3:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:pivotal:spring_framework:3.2.4:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:websphere_portal:8.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_portal:8.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_application_dependency_discovery_manager:7.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_netcool_configuration_manager:6.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium:9.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium:9.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium:9.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_netcool_configuration_manager:6.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium_big_data_intelligence:3.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:mobilefirst_platform_foundation:8.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:6.0.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:6.0.3.2:*:*:*:standard:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.ubuntu.artful:def:20137315000
    V
    		CVE-2013-7315 on Ubuntu 17.10 (artful) - medium.
    2014-01-23
    oval:com.ubuntu.xenial:def:20137315000
    V
    		CVE-2013-7315 on Ubuntu 16.04 LTS (xenial) - medium.
    2014-01-23
    oval:com.ubuntu.bionic:def:20137315000
    V
    		CVE-2013-7315 on Ubuntu 18.04 LTS (bionic) - medium.
    2014-01-23
    oval:com.ubuntu.bionic:def:201373150000000
    V
    		CVE-2013-7315 on Ubuntu 18.04 LTS (bionic) - medium.
    2014-01-23
    oval:com.ubuntu.precise:def:20137315000
    V
    		CVE-2013-7315 on Ubuntu 12.04 LTS (precise) - medium.
    2014-01-23
    oval:com.ubuntu.xenial:def:201373150000000
    V
    		CVE-2013-7315 on Ubuntu 16.04 LTS (xenial) - medium.
    2014-01-23
    oval:com.ubuntu.trusty:def:20137315000
    V
    		CVE-2013-7315 on Ubuntu 14.04 LTS (trusty) - medium.
    2014-01-23
    BACK
    vmware spring framework 3.1.4
    vmware spring framework 3.1.3
    vmware spring framework 4.0.0 milestone2
    springsource spring framework 3.0.5
    springsource spring framework 3.0.0 rc2
    springsource spring framework 3.0.0 rc1
    vmware spring framework *
    vmware spring framework 3.2.2
    vmware spring framework 3.1.0
    vmware spring framework 3.0.7
    springsource spring framework 3.0.2
    springsource spring framework 3.0.1
    springsource spring framework 3.0.0.m2
    springsource spring framework 3.0.0 m2
    springsource spring framework 3.0.0 m1
    vmware spring framework 3.2.1
    vmware spring framework 3.2.0
    vmware spring framework 3.0.6
    vmware spring framework 4.0.0 milestone1
    springsource spring framework 3.0.0.m1
    springsource spring framework 3.0.0 rc3
    springsource spring framework 3.0.0
    vmware spring framework 3.1.2
    vmware spring framework 3.1.1
    springsource spring framework 3.0.4
    springsource spring framework 3.0.3
    springsource spring framework 3.0.0 m4
    springsource spring framework 3.0.0 m3
    pivotal spring framework 3.2.4
    ibm websphere portal 8.0
    ibm qradar security information and event manager 7.2
    ibm websphere portal 8.5
    ibm tivoli application dependency discovery manager 7.2.2
    ibm tivoli netcool configuration manager 6.4.1
    ibm security guardium 9.0
    ibm security guardium 9.1
    ibm security guardium 9.5
    ibm security identity governance and intelligence 5.2
    ibm security identity governance and intelligence 5.2.1
    ibm tivoli netcool configuration manager 6.4.2
    ibm security guardium big data intelligence 3.1
    ibm security identity governance and intelligence 5.2.2
    ibm security identity governance and intelligence 5.2.2.1
    ibm security identity governance and intelligence 5.2.3
    ibm security identity governance and intelligence 5.2.3.1
    ibm security identity governance and intelligence 5.2.3.2
    ibm security identity governance and intelligence 5.2.4
    ibm security identity governance and intelligence 5.2.4.1
    ibm mobilefirst platform foundation 8.0.0
    ibm sterling b2b integrator 6.0.1.0
    ibm sterling b2b integrator 6.0.3.2