CVE-2013-6429

CVE Database · CVE-2013-6429

CVE-2013-6429

· N/AModified

CVSS v3.1

N/A

EPSS

90.45%

Published

Jan 26, 2014

Modified

Apr 28, 2026

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.

Weaknesses (CWE)

CWE-352CWE-611

Affected Products (4)

pivotal_software · spring_frameworkvulnerable

vmware · spring_frameworkvulnerable

References (14)

http://rhn.redhat.com/errata/RHSA-2014-0400.html

Third Party Advisory

http://secunia.com/advisories/57915

Third Party Advisory

http://www.gopivotal.com/security/cve-2013-6429

Third Party Advisory