Severity: Important
Vendor: Spring by Pivotal
Versions Affected:
Description:
The Spring OXM wrapper did not expose any property for disabling entity resolution when using the JAXB unmarshaller. There are four possible source implementations passed to the unmarshaller:
It was also identified that Spring MVC processed user provided XML with JAXB in combination with a StAX XMLInputFactory without disabling external entity resolution. External entity resolution has been disabled in this case.
Mitigation:
Users of affected versions should apply the following mitigation:
Credit:
These issues were identified by Alvaro Munoz of the HP Enterprise Security Team.
References:
http://www.gopivotal.com/security/cve-2013-4152
https://github.com/SpringSource/spring-framework/pull/317 (Spring OXM)
https://jira.springsource.org/browse/SPR-10806 (Spring MVC)
History:
2013-Aug-22: Initial vulnerability report published.