{"id":"UBUNTU-CVE-2013-4152","details":"The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.","modified":"2025-07-16T07:31:19.672498Z","published":"2014-01-23T21:55:00Z","withdrawn":"2025-07-18T16:42:54Z","upstream":["CVE-2013-4152"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2013-4152"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4152"},{"type":"REPORT","url":"http://seclists.org/bugtraq/2013/Aug/154"},{"type":"REPORT","url":"http://www.gopivotal.com/security/cve-2013-4152"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2013-4152"}],"affected":[{"package":{"name":"libspring-java","ecosystem":"Ubuntu:14.04:LTS","purl":"pkg:deb/ubuntu/libspring-java@3.0.6.RELEASE-10?arch=source&distro=trusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.0.6.RELEASE-10"}]}],"versions":["3.0.6.RELEASE-7","3.0.6.RELEASE-8","3.0.6.RELEASE-9"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_version":"3.0.6.RELEASE-10","binary_name":"libspring-aop-java"},{"binary_version":"3.0.6.RELEASE-10","binary_name":"libspring-beans-java"},{"binary_version":"3.0.6.RELEASE-10","binary_name":"libspring-context-java"},{"binary_version":"3.0.6.RELEASE-10","binary_name":"libspring-context-support-java"},{"binary_version":"3.0.6.RELEASE-10","binary_name":"libspring-core-java"},{"binary_version":"3.0.6.RELEASE-10","binary_name":"libspring-expression-java"},{"binary_version":"3.0.6.RELEASE-10","binary_name":"libspring-instrument-java"},{"binary_version":"3.0.6.RELEASE-10","binary_name":"libspring-jdbc-java"},{"binary_version":"3.0.6.RELEASE-10","binary_name":"libspring-jms-java"},{"binary_version":"3.0.6.RELEASE-10","binary_name":"libspring-orm-java"},{"binary_version":"3.0.6.RELEASE-10","binary_name":"libspring-oxm-java"},{"binary_version":"3.0.6.RELEASE-10","binary_name":"libspring-test-java"},{"binary_version":"3.0.6.RELEASE-10","binary_name":"libspring-transaction-java"},{"binary_version":"3.0.6.RELEASE-10","binary_name":"libspring-web-java"},{"binary_version":"3.0.6.RELEASE-10","binary_name":"libspring-web-portlet-java"},{"binary_version":"3.0.6.RELEASE-10","binary_name":"libspring-web-servlet-java"},{"binary_version":"3.0.6.RELEASE-10","binary_name":"libspring-web-struts-java"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2013/UBUNTU-CVE-2013-4152.json"}}],"schema_version":"1.7.3","severity":[{"type":"Ubuntu","score":"medium"}]}