CVE-2019-3773
Spring Web Services XML External Entity Injection (XXE)
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.
Spring Web Services, en sus versiones 2.4.3, 3.0.4 y anteriores no soportadas de los tres proyectos, era susceptible a inyecciones XEE (XML External Entity) cuando recibĂa datos XML de fuentes no fiables.
This release of Red Hat Fuse 7.8.0 serves as a replacement for Red Hat Fuse 7.7, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include XML injection, bypass, code execution, cross site scripting, denial of service, deserialization, file disclosure, information leakage, memory leak, out of bounds read, privilege escalation, server-side request forgery, and remote SQL injection vulnerabilities.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-01-03 CVE Reserved
- 2019-01-18 CVE Published
- 2024-09-17 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
- CWE-611: Improper Restriction of XML External Entity Reference
CAPEC
References (7)
| URL | Tag | Source |
|---|---|---|
| https://security.netapp.com/advisory/ntap-20231227-0011 |
|
|
| https://www.oracle.com/security-alerts/cpuApr2021.html | Not Applicable |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://www.oracle.com//security-alerts/cpujul2021.html | 2023-12-27 | |
| https://www.oracle.com/security-alerts/cpujan2021.html | 2023-12-27 |
| URL | Date | SRC |
|---|---|---|
| https://pivotal.io/security/cve-2019-3773 | 2023-12-27 | |
| https://access.redhat.com/security/cve/CVE-2019-3773 | 2020-12-16 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1670593 | 2020-12-16 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Pivotal Software Search vendor "Pivotal Software" | Spring Web Services Search vendor "Pivotal Software" for product "Spring Web Services" | <= 2.4.3 Search vendor "Pivotal Software" for product "Spring Web Services" and version " <= 2.4.3" | - |
Affected
| ||||||
| Pivotal Software Search vendor "Pivotal Software" | Spring Web Services Search vendor "Pivotal Software" for product "Spring Web Services" | >= 3.0.0 <= 3.0.4 Search vendor "Pivotal Software" for product "Spring Web Services" and version " >= 3.0.0 <= 3.0.4" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Financial Services Analytical Applications Infrastructure Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" | >= 8.0.6 <= 8.1.0 Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version " >= 8.0.6 <= 8.1.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Flexcube Private Banking Search vendor "Oracle" for product "Flexcube Private Banking" | 12.0.0 Search vendor "Oracle" for product "Flexcube Private Banking" and version "12.0.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Flexcube Private Banking Search vendor "Oracle" for product "Flexcube Private Banking" | 12.1.0 Search vendor "Oracle" for product "Flexcube Private Banking" and version "12.1.0" | - |
Affected
| ||||||