The fix for the XXE injection vulnerability in Spring's framework was incomplete when addressing the issue outlined in CVE-2013-4152. Versions affected include Spring MVC 3.0.0 to 3.2.4 and Spring MVC 4.0.0.M1 to 4.0.0.RC1.
173314b9e0698f8b4a1f988549c3ab83bb9af713cd2cc7374742743449dc9f25