Critical severityNVD Advisory· Published Jan 18, 2019· Updated Sep 17, 2024

Spring Web Services XML External Entity Injection (XXE)

CVE-2019-3773

Description

Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.springframework.ws:spring-wsMaven	< 2.4.4	2.4.4
org.springframework.ws:spring-wsMaven	>= 3.0.0, < 3.0.6	3.0.6
org.springframework.ws:spring-xmlMaven	< 2.4.4	2.4.4
org.springframework.ws:spring-xmlMaven	>= 3.0.0, < 3.0.6	3.0.6

Affected products

Spring/Spring Web Servicesv5
Range: 3.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-8222-6fc8-mhvfghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2019-3773ghsaADVISORY
pivotal.io/security/cve-2019-3773ghsaWEB
www.oracle.com/security-alerts/cpuApr2021.htmlghsaWEB
www.oracle.com/security-alerts/cpujan2021.htmlghsaWEB
www.oracle.com/security-alerts/cpujul2021.htmlghsaWEB
security.netapp.com/advisory/ntap-20231227-0011/mitre
www.oracle.com//security-alerts/cpujul2021.htmlmitre

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000