CVE-2019-3773
Spring Web Services XML External Entity Injection (XXE)
Severity Score
9.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.
Spring Web Services, en sus versiones 2.4.3, 3.0.4 y anteriores no soportadas de los tres proyectos, era susceptible a inyecciones XEE (XML External Entity) cuando recibĂa datos XML de fuentes no fiables.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2019-01-03 CVE Reserved
- 2019-01-18 CVE Published
- 2024-09-06 EPSS Updated
- 2024-09-17 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
- CWE-611: Improper Restriction of XML External Entity Reference
CAPEC
References (7)
| URL | Tag | Source |
|---|---|---|
| https://security.netapp.com/advisory/ntap-20231227-0011 |
|
|
| https://www.oracle.com/security-alerts/cpuApr2021.html | Not Applicable |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://www.oracle.com//security-alerts/cpujul2021.html | 2023-12-27 | |
| https://www.oracle.com/security-alerts/cpujan2021.html | 2023-12-27 |
| URL | Date | SRC |
|---|---|---|
| https://pivotal.io/security/cve-2019-3773 | 2023-12-27 | |
| https://access.redhat.com/security/cve/CVE-2019-3773 | 2020-12-16 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1670593 | 2020-12-16 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Pivotal Software Search vendor "Pivotal Software" | Spring Web Services Search vendor "Pivotal Software" for product "Spring Web Services" | <= 2.4.3 Search vendor "Pivotal Software" for product "Spring Web Services" and version " <= 2.4.3" | - |
Affected
| ||||||
| Pivotal Software Search vendor "Pivotal Software" | Spring Web Services Search vendor "Pivotal Software" for product "Spring Web Services" | >= 3.0.0 <= 3.0.4 Search vendor "Pivotal Software" for product "Spring Web Services" and version " >= 3.0.0 <= 3.0.4" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Financial Services Analytical Applications Infrastructure Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" | >= 8.0.6 <= 8.1.0 Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version " >= 8.0.6 <= 8.1.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Flexcube Private Banking Search vendor "Oracle" for product "Flexcube Private Banking" | 12.0.0 Search vendor "Oracle" for product "Flexcube Private Banking" and version "12.0.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Flexcube Private Banking Search vendor "Oracle" for product "Flexcube Private Banking" | 12.1.0 Search vendor "Oracle" for product "Flexcube Private Banking" and version "12.1.0" | - |
Affected
| ||||||