CVE-2019-3772

CWE-611 — XML External Entity (XXE)CWE-20 — Improper Input Validation6 documents6 sources

Severity

9.8CRITICAL

EPSS

2.0%

top 16.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Spring Spring Integration Vmware Spring Integration Oracle Retail Customer Management AND Segmentation Foundation

Timeline

PublishedJan 18

Latest updateJan 29

Description

Spring Integration (spring-integration-xml and spring-integration-ws modules), versions 4.3.18, 5.0.10, 5.1.1, and older unsupported versions, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages5 packages

▶CVEListV5spring/spring_integration5.0 — v5.0.10.RELEASE+2

▶Mavenorg.springframework.integration:spring-integration-ws5.0.0 — 5.0.11+2

▶Mavenorg.springframework.integration:spring-integration-xml5.0.0 — 5.0.11+2

▶NVDvmware/spring_integration5.0.0 — 5.0.10+2

▶NVDoracle/retail_customer_management_and_segmentation_foundation16.0, 17.0, 18.0+2

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

Improper Restriction of XML External Entity Reference in org.springframework.integration:spring-integration-ws and org.springframework.integration:spring-integration-xml↗2019-01-25

▶

OSV

Improper Restriction of XML External Entity Reference in org.springframework.integration:spring-integration-ws and org.springframework.integration:spring-integration-xml↗2019-01-25

▶

CVEList

Spring Integration XML External Entity Injection (XXE)↗2019-01-18

▶

📋Vendor Advisories

Red Hat

spring-integration: XML External Entity Injection (XXE) when receiving XML data from untrusted sources↗2019-01-14

▶

💬Community

Bugzilla

CVE-2019-3772 spring-integration: XML External Entity Injection (XXE) when receiving XML data from untrusted sources↗2019-01-29

▶