{"id":"UBUNTU-CVE-2013-7315","details":"The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152.  NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.","modified":"2025-07-16T07:47:40.593556Z","published":"2014-01-23T21:55:00Z","withdrawn":"2025-07-18T16:42:57Z","upstream":["CVE-2013-7315"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2013-7315"},{"type":"REPORT","url":"https://jira.springsource.org/browse/SPR-10806"},{"type":"REPORT","url":"http://www.gopivotal.com/security/cve-2013-4152"},{"type":"REPORT","url":"http://www.debian.org/security/2014/dsa-2842"},{"type":"REPORT","url":"http://seclists.org/fulldisclosure/2013/Nov/14"},{"type":"REPORT","url":"http://seclists.org/bugtraq/2013/Aug/154"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4152"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2013-7315"}],"affected":[{"package":{"name":"libspring-java","ecosystem":"Ubuntu:14.04:LTS","purl":"pkg:deb/ubuntu/libspring-java@3.0.6.RELEASE-13?arch=source&distro=trusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.0.6.RELEASE-13"}]}],"versions":["3.0.6.RELEASE-7","3.0.6.RELEASE-8","3.0.6.RELEASE-9","3.0.6.RELEASE-10","3.0.6.RELEASE-11","3.0.6.RELEASE-12"],"ecosystem_specific":{"binaries":[{"binary_name":"libspring-aop-java","binary_version":"3.0.6.RELEASE-13"},{"binary_name":"libspring-beans-java","binary_version":"3.0.6.RELEASE-13"},{"binary_name":"libspring-context-java","binary_version":"3.0.6.RELEASE-13"},{"binary_name":"libspring-context-support-java","binary_version":"3.0.6.RELEASE-13"},{"binary_name":"libspring-core-java","binary_version":"3.0.6.RELEASE-13"},{"binary_name":"libspring-expression-java","binary_version":"3.0.6.RELEASE-13"},{"binary_name":"libspring-instrument-java","binary_version":"3.0.6.RELEASE-13"},{"binary_name":"libspring-jdbc-java","binary_version":"3.0.6.RELEASE-13"},{"binary_name":"libspring-jms-java","binary_version":"3.0.6.RELEASE-13"},{"binary_name":"libspring-orm-java","binary_version":"3.0.6.RELEASE-13"},{"binary_name":"libspring-oxm-java","binary_version":"3.0.6.RELEASE-13"},{"binary_name":"libspring-test-java","binary_version":"3.0.6.RELEASE-13"},{"binary_name":"libspring-transaction-java","binary_version":"3.0.6.RELEASE-13"},{"binary_name":"libspring-web-java","binary_version":"3.0.6.RELEASE-13"},{"binary_name":"libspring-web-portlet-java","binary_version":"3.0.6.RELEASE-13"},{"binary_name":"libspring-web-servlet-java","binary_version":"3.0.6.RELEASE-13"},{"binary_name":"libspring-web-struts-java","binary_version":"3.0.6.RELEASE-13"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2013/UBUNTU-CVE-2013-7315.json"}},{"package":{"name":"libspring-java","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/libspring-java@3.2.13-5?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.2.13-5"}]}],"versions":["3.2.13-3","3.2.13-4"],"ecosystem_specific":{"binaries":[{"binary_name":"libspring-aop-java","binary_version":"3.2.13-5"},{"binary_name":"libspring-beans-java","binary_version":"3.2.13-5"},{"binary_name":"libspring-context-java","binary_version":"3.2.13-5"},{"binary_name":"libspring-context-support-java","binary_version":"3.2.13-5"},{"binary_name":"libspring-core-java","binary_version":"3.2.13-5"},{"binary_name":"libspring-expression-java","binary_version":"3.2.13-5"},{"binary_name":"libspring-instrument-java","binary_version":"3.2.13-5"},{"binary_name":"libspring-jdbc-java","binary_version":"3.2.13-5"},{"binary_name":"libspring-jms-java","binary_version":"3.2.13-5"},{"binary_name":"libspring-orm-java","binary_version":"3.2.13-5"},{"binary_name":"libspring-oxm-java","binary_version":"3.2.13-5"},{"binary_name":"libspring-test-java","binary_version":"3.2.13-5"},{"binary_name":"libspring-transaction-java","binary_version":"3.2.13-5"},{"binary_name":"libspring-web-java","binary_version":"3.2.13-5"},{"binary_name":"libspring-web-portlet-java","binary_version":"3.2.13-5"},{"binary_name":"libspring-web-servlet-java","binary_version":"3.2.13-5"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2013/UBUNTU-CVE-2013-7315.json"}},{"package":{"name":"libspring-java","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/libspring-java@4.3.14-1?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.3.14-1"}]}],"versions":["4.3.11-1","4.3.12-1","4.3.13-2"],"ecosystem_specific":{"binaries":[{"binary_name":"libspring-aop-java","binary_version":"4.3.14-1"},{"binary_name":"libspring-beans-java","binary_version":"4.3.14-1"},{"binary_name":"libspring-context-java","binary_version":"4.3.14-1"},{"binary_name":"libspring-context-support-java","binary_version":"4.3.14-1"},{"binary_name":"libspring-core-java","binary_version":"4.3.14-1"},{"binary_name":"libspring-expression-java","binary_version":"4.3.14-1"},{"binary_name":"libspring-instrument-java","binary_version":"4.3.14-1"},{"binary_name":"libspring-jdbc-java","binary_version":"4.3.14-1"},{"binary_name":"libspring-jms-java","binary_version":"4.3.14-1"},{"binary_name":"libspring-messaging-java","binary_version":"4.3.14-1"},{"binary_name":"libspring-orm-java","binary_version":"4.3.14-1"},{"binary_name":"libspring-oxm-java","binary_version":"4.3.14-1"},{"binary_name":"libspring-test-java","binary_version":"4.3.14-1"},{"binary_name":"libspring-transaction-java","binary_version":"4.3.14-1"},{"binary_name":"libspring-web-java","binary_version":"4.3.14-1"},{"binary_name":"libspring-web-portlet-java","binary_version":"4.3.14-1"},{"binary_name":"libspring-web-servlet-java","binary_version":"4.3.14-1"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2013/UBUNTU-CVE-2013-7315.json"}}],"schema_version":"1.7.3","severity":[{"type":"Ubuntu","score":"medium"}]}