CVE-2019-3773

Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.

Published: Jan 18, 2019
Updated: Dec 28, 2023
CVE: CVE-2019-3773
GHSA: GHSA-8222-6fc8-mhvf
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-611

OWASP TOP 10:

A4 - XML External Entities (XXE)

Affected Software
References

Software	From	Fixed in
pivotal_software / spring_web_services	-	2.4.3.x
pivotal_software / spring_web_services	3.0.0	3.0.4.x
oracle / flexcube_private_banking	12.1.0	12.1.0.x
oracle / flexcube_private_banking	12.0.0	12.0.0.x
oracle / financial_services_analytical_applications_infrastructure	8.0.6	8.1.0.x
org.springframework.ws / spring-ws	-	2.4.4
org.springframework.ws / spring-ws	3.0.0	3.0.6
org.springframework.ws / spring-xml	-	2.4.4
org.springframework.ws / spring-xml	3.0.0	3.0.6

Vulnerability Database

289,697

CVE-2019-3773