CVE-2013-4152: Cross-Site Request Forgery in Spring Framework
6.8
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.99244%
CWE
Published
5/13/2022
Updated
2/27/2024
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
AV:N/AC:M/Au:N/C:P/I:P/A:P
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.springframework:spring-oxm | maven | <= 3.2.3.RELEASE | 3.2.4.RELEASE |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability arises from two key areas: 1) Jaxb2Marshaller
's handling of SAXSource
/StreamSource
in unmarshal()
without disabling external entities, as shown in the GitHub patch adding the processSource()
mitigation. 2) Jaxb2CollectionHttpMessageConverter
's XMLInputFactory
configuration lacking entity resolution safeguards, fixed in commits 434735f
/7576274
. Both functions directly controlled XML parsing behavior and were explicitly patched to address XXE.