AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2013-4152: The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable e

infovulnerability

security

Source: NVD/CVE DatabaseJanuary 23, 2014CVE-2013-4152

Summary

Spring Framework versions before 3.2.4 and 4.0.0.M1 have a vulnerability in their XML processing tool (Spring OXM wrapper with JAXB marshaller) that fails to disable entity resolution, which is a security feature that prevents processing of external XML entities. This allows attackers to read arbitrary files (files they shouldn't access), cause denial of service (making the application unavailable), and conduct CSRF attacks (cross-site request forgery, tricking users into performing unwanted actions) by embedding malicious XML external entity declarations in input data.

Solution / Mitigation

Upgrade Spring Framework to version 3.2.4 or 4.0.0.M1 or later. Red Hat provides patches and updates referenced in advisories RHSA-2014-0212, RHSA-2014-0245, RHSA-2014-0254, and RHSA-2014-0400. A patch is also available in the Spring Framework GitHub repository (https://github.com/spring-projects/spring-framework/pull/317/files).

Vulnerability Details

CVSS Score

6.8

EPSS (30-day exploit probability)

EPSS: 89.0%

Classification

Attack SophisticationModerate

Taxonomy References

CWE (Weakness Type)

CWE-264

Original source: https://nvd.nist.gov/vuln/detail/CVE-2013-4152

First tracked: February 15, 2026 at 08:43 PM

Classified by LLM (prompt v3) · confidence: 95%