Miggo Logo

CVE-2013-4152: Cross-Site Request Forgery in Spring Framework

6.8

CVSS Score

Basic Information

EPSS Score
0.99244%
Published
5/13/2022
Updated
2/27/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
AV:N/AC:M/Au:N/C:P/I:P/A:P
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.springframework:spring-oxmmaven<= 3.2.3.RELEASE3.2.4.RELEASE

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability arises from two key areas: 1) Jaxb2Marshaller's handling of SAXSource/StreamSource in unmarshal() without disabling external entities, as shown in the GitHub patch adding the processSource() mitigation. 2) Jaxb2CollectionHttpMessageConverter's XMLInputFactory configuration lacking entity resolution safeguards, fixed in commits 434735f/7576274. Both functions directly controlled XML parsing behavior and were explicitly patched to address XXE.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** Sprin* OXM wr*pp*r in Sprin* *r*m*work ***or* *.*.* *n* *.*.*.M*, w**n usin* t** J*X* m*rs**ll*r, *o*s not *is**l* *ntity r*solution, w*i** *llows *ont*xt-**p*n**nt *tt**k*rs to r*** *r*itr*ry *il*s, **us* * **ni*l o* s*rvi**, *n* *on*u*t *SR* *t

Reasoning

T** vuln*r**ility *ris*s *rom two k*y *r**s: *) `J*x**M*rs**ll*r`'s **n*lin* o* `S*XSour**`/`Str**mSour**` in `unm*rs**l()` wit*out *is**lin* *xt*rn*l *ntiti*s, *s s*own in t** *it*u* p*t** ***in* t** `pro**ssSour**()` miti**tion. *) `J*x***oll**tion