CVE-2019-3773XML External Entity (XXE) Injection in Spring WEB Services

CWE-611XML External Entity (XXE) InjectionCWE-20Improper Input Validation8 documents7 sources
Severity
9.8CRITICALNVD
EPSS
0.3%
top 46.20%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Spring WEB ServicesOracle Financial Services Analytical Applications InfrastructurePivotal Software Spring WEB Services+1 more
Timeline
PublishedJan 18
Latest updateApr 15

Description

Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

CVEListV5spring/spring_web_services3.0v3.0.4.RELEASE+1
NVDoracle/flexcube_private_banking12.0.0, 12.1.0+1

Patches

Patch: www.oracle.comPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

3
OSV
Vulnerability that affects org.springframework.ws:spring-ws and org.springframework.ws:spring-xml2019-01-25
GHSA
Vulnerability that affects org.springframework.ws:spring-ws and org.springframework.ws:spring-xml2019-01-25
CVEList
Spring Web Services XML External Entity Injection (XXE)2019-01-18

📋Vendor Advisories

3
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: Order Management (Spring Web Services) — CVE-2019-37732021-04-15
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: Infrastructure (Spring Web Services) — CVE-2019-37732021-01-15
Red Hat
spring-ws: XML External Entity Injection (XXE) when receiving XML data from untrusted sources2019-01-14

💬Community

1
Bugzilla
CVE-2019-3773 spring-ws: XML External Entity Injection (XXE) when receiving XML data from untrusted sources2019-01-29
CVE-2019-3773 — XML External Entity (XXE) Injection | cvebase