CVE-2019-13990

initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.

Published: Jul 26, 2019
Updated: Oct 29, 2023
CVE: CVE-2019-13990
GHSA: GHSA-9qcf-c26r-x5rf
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-611

OWASP TOP 10:

A4 - XML External Entities (XXE)

Affected Software
References

Software	From	Fixed in
softwareag / quartz	-	2.3.2
oracle / flexcube_investor_servicing	12.3.0	12.3.0.x
oracle / flexcube_investor_servicing	12.1.0	12.1.0.x
oracle / retail_xstore_point_of_service	15.0	15.0.x
oracle / flexcube_private_banking	12.1.0	12.1.0.x
oracle / primavera_unifier	16.2	16.2.x
oracle / flexcube_private_banking	12.0.0	12.0.0.x
oracle / primavera_unifier	16.1	16.1.x
oracle / retail_integration_bus	15.0	15.0.x
oracle / retail_back_office	14.1	14.1.x
oracle / flexcube_investor_servicing	12.4.0	12.4.0.x
oracle / webcenter_sites	12.2.1.3.0	12.2.1.3.0.x
oracle / retail_xstore_point_of_service	16.0	16.0.x
oracle / fusion_middleware_mapviewer	12.2.1.3.0	12.2.1.3.0.x
oracle / retail_order_broker	15.0	15.0.x
oracle / retail_order_broker	16.0	16.0.x
oracle / retail_integration_bus	16.0	16.0.x
oracle / retail_returns_management	14.1	14.1.x
oracle / retail_central_office	14.1	14.1.x
oracle / primavera_unifier	18.8	18.8.x
oracle / retail_point-of-service	14.1	14.1.x
oracle / primavera_unifier	17.7	17.12.x
oracle / flexcube_investor_servicing	14.1.0	14.1.0.x
oracle / webcenter_sites	12.2.1.4.0	12.2.1.4.0.x
oracle / retail_xstore_point_of_service	17.0	17.0.x
oracle / retail_xstore_point_of_service	18.0	18.0.x
oracle / retail_xstore_point_of_service	19.0	19.0.x
oracle / communications_ip_service_activator	7.4.0	7.4.0.x
oracle / communications_ip_service_activator	7.3.0	7.3.0.x
oracle / banking_payments	14.1.0	14.4.0.x
oracle / hyperion_infrastructure_technology	11.1.2.4	11.1.2.4.x
oracle / enterprise_manager_ops_center	12.4.0.0	12.4.0.0.x
oracle / customer_management_and_segmentation_foundation	18.0	18.0.x
oracle / communications_session_route_manager	8.2.0	8.2.2.x
oracle / retail_order_broker	18.0	18.0.x
oracle / enterprise_manager_base_platform	13.2.1.0	13.2.1.0.x
oracle / banking_enterprise_originations	2.8.0	2.8.0.x
oracle / banking_enterprise_originations	2.7.0	2.7.0.x
oracle / banking_enterprise_product_manufacturing	2.7.0	2.7.0.x
oracle / banking_enterprise_product_manufacturing	2.8.0	2.8.0.x
oracle / retail_order_broker	19.0	19.0.x
oracle / jd_edwards_enterpriseone_orchestrator	-	9.2.5.3.x
oracle / documaker	12.6.0	12.6.4.x
oracle / flexcube_investor_servicing	14.4.0	14.4.0.x
oracle / google_guava_mapviewer	12.2.0.1	12.2.0.1.x
oracle / google_guava_mapviewer	18c	18c.x
oracle / google_guava_mapviewer	19c	19c.x
oracle / apache_batik_mapviewer	12.2.0.1	12.2.0.1.x
oracle / apache_batik_mapviewer	18c	18c.x
oracle / apache_batik_mapviewer	19c	19c.x
oracle / terracotta_quartz_scheduler_mapviewer	12.2.0.1	12.2.0.1.x
oracle / terracotta_quartz_scheduler_mapviewer	18c	18c.x
oracle / terracotta_quartz_scheduler_mapviewer	19c	19c.x
apache / tomee	7.1.3	7.1.3.x
org.quartz-scheduler / quartz	-	2.3.2
atlassian / jira_service_management	4.20.0	4.20.0.x
atlassian / jira_service_management	4.20.1	4.20.1.x
atlassian / jira_service_management	4.20.10	4.20.10.x
atlassian / jira_service_management	4.20.11	4.20.11.x
atlassian / jira_service_management	4.20.12	4.20.12.x
atlassian / jira_service_management	4.20.13	4.20.13.x
atlassian / jira_service_management	4.20.14	4.20.14.x
atlassian / jira_service_management	4.20.15	4.20.15.x
atlassian / jira_service_management	4.20.16	4.20.16.x
atlassian / jira_service_management	4.20.17	4.20.17.x
atlassian / jira_service_management	4.20.18	4.20.18.x
atlassian / jira_service_management	4.20.19	4.20.19.x
atlassian / jira_service_management	4.20.2	4.20.2.x
atlassian / jira_service_management	4.20.20	4.20.20.x
atlassian / jira_service_management	4.20.21	4.20.21.x
atlassian / jira_service_management	4.20.22	4.20.22.x
atlassian / jira_service_management	4.20.23	4.20.23.x
atlassian / jira_service_management	4.20.24	4.20.24.x
atlassian / jira_service_management	4.20.25	4.20.25.x
atlassian / jira_service_management	4.20.3	4.20.3.x
atlassian / jira_service_management	4.20.4	4.20.4.x
atlassian / jira_service_management	4.20.5	4.20.5.x
atlassian / jira_service_management	4.20.6	4.20.6.x
atlassian / jira_service_management	4.20.7	4.20.7.x
atlassian / jira_service_management	4.20.8	4.20.8.x
atlassian / jira_service_management	4.20.9	4.20.9.x
atlassian / jira_service_management	4.21.0	4.21.0.x
atlassian / jira_service_management	4.21.1	4.21.1.x
atlassian / jira_service_management	4.22.0	4.22.0.x
atlassian / jira_service_management	4.22.1	4.22.1.x
atlassian / jira_service_management	4.22.2	4.22.2.x
atlassian / jira_service_management	4.22.3	4.22.3.x
atlassian / jira_service_management	4.22.4	4.22.4.x
atlassian / jira_service_management	4.22.6	4.22.6.x
atlassian / jira_service_management	5.0.0	5.0.0.x
atlassian / jira_service_management	5.1.0	5.1.0.x
atlassian / jira_service_management	5.1.1	5.1.1.x
atlassian / jira_service_management	5.2.0	5.2.0.x
atlassian / jira_service_management	5.2.1	5.2.1.x
atlassian / jira_service_management	5.3.0	5.3.0.x
atlassian / jira_service_management	5.3.1	5.3.1.x
atlassian / jira_service_management	5.3.2	5.3.2.x
atlassian / jira_service_management	5.3.3	5.3.3.x
atlassian / jira_service_management	5.4.0	5.4.0.x
atlassian / jira_service_management	5.4.1	5.4.1.x
atlassian / jira_service_management	5.4.2	5.4.2.x
atlassian / jira_service_management	5.4.3	5.4.3.x
atlassian / jira_service_management	5.4.4	5.4.4.x
atlassian / jira_service_management	5.4.5	5.4.5.x
atlassian / jira_service_management	5.4.6	5.4.6.x
atlassian / jira_service_management	5.4.7	5.4.7.x
atlassian / jira_service_management	5.4.8	5.4.8.x
atlassian / jira_service_management	5.4.9	5.4.9.x
atlassian / jira_service_management	5.5.1	5.5.1.x
atlassian / jira_service_management	5.6.0	5.6.0.x
atlassian / jira_service_management	5.7.0	5.7.0.x
atlassian / jira_service_management	5.7.1	5.7.1.x
atlassian / jira_service_management	5.8.0	5.8.0.x
atlassian / jira_service_management	5.8.1	5.8.1.x
atlassian / jira_service_management	5.9.0	5.9.0.x
atlassian / jira_service_management	5.10.0	5.10.0.x

Vulnerability Database

289,599

CVE-2019-13990