Cross-site Request Forgery (CSRF) Affecting org.springframework:spring-web package, versions [3.0.0.RELEASE,3.2.8.RELEASE) [4.0.0.RELEASE,4.0.2.RELEASE)


0.0
medium

Snyk CVSS

    Attack Complexity Low
    User Interaction Required

    Threat Intelligence

    EPSS 39.6% (98th percentile)
Expand this section
NVD
6.3 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JAVA-ORGSPRINGFRAMEWORK-31331
  • published 6 Jun 2014
  • disclosed 17 Apr 2014
  • credit Spase Markovski

Overview

org.springframework:spring-web Affected versions of this package do not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue.

NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.

References