1
Candidate: CVE-2013-4152
4
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4152
5
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4152
6
http://seclists.org/bugtraq/2013/Aug/154
7
http://www.gopivotal.com/security/cve-2013-4152
9
The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when
10
using the JAXB marshaller, does not disable entity resolution, which allows
11
context-dependent attackers to read arbitrary files, cause a denial of
12
service, and conduct CSRF attacks via an XML external entity declaration in
13
conjunction with an entity reference in a (1) DOMSource, (2) StAXSource,
14
(3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.
19
Discovered-by: Alvaro Munoz
22
Patches_libspring-java:
23
upstream: https://github.com/SpringSource/spring-framework/pull/317
24
vendor: http://www.debian.org/security/2014/dsa-2842
25
upstream_libspring-java: released (3.2.4, 4.0.0.RC1, 3.0.6.RELEASE-10)
26
lucid_libspring-java: DNE
27
precise_libspring-java: ignored (reached end-of-life)
28
precise/esm_libspring-java: DNE (precise was needed)
29
quantal_libspring-java: ignored (reached end-of-life)
30
raring_libspring-java: ignored (reached end-of-life)
31
saucy_libspring-java: ignored (reached end-of-life)
32
trusty_libspring-java: not-affected (3.0.6.RELEASE-10)
33
utopic_libspring-java: not-affected (3.0.6.RELEASE-10)
34
vivid_libspring-java: not-affected (3.0.6.RELEASE-10)
35
vivid/stable-phone-overlay_libspring-java: DNE
36
vivid/ubuntu-core_libspring-java: DNE
37
wily_libspring-java: not-affected (3.0.6.RELEASE-10)
38
xenial_libspring-java: not-affected (3.0.6.RELEASE-10)
39
yakkety_libspring-java: not-affected (3.0.6.RELEASE-10)
40
zesty_libspring-java: not-affected (3.0.6.RELEASE-10)
41
devel_libspring-java: not-affected (3.0.6.RELEASE-10)