N/A

The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.

N/A

N/A

Vmware Spring Framework权限许可和访问控制问题漏洞

Vmware Spring Framework是美国威睿（Vmware）公司的一套开源的Java、JavaEE应用程序框架。该框架可帮助开发人员构建高质量的应用。 Spring Framework 3.2.4之前版本，及4.0.0.M1至4.0.0.M2版本中的Spring MVC中存在权限许可和访问控制问题漏洞，该漏洞源于程序没有对StAX XMLInputFactory禁用外部实体解析。攻击者可借助带有JAXB的特制XML文件利用该漏洞读取任意文件，造成拒绝服务，并实施跨站请求伪造攻击。

N/A

N/A