ghsa-8222-6fc8-mhvf
Vulnerability from github
Published
2019-01-25 16:18
Modified
2021-06-15 16:59
Severity
9.8 (Critical) - CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Vulnerability that affects org.springframework.ws:spring-ws and org.springframework.ws:spring-xml
Details

Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework.ws:spring-ws"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.4.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.4"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework.ws:spring-ws"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework.ws:spring-xml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.4.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.4"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework.ws:spring-xml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-3773"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:23:54Z",
    "nvd_published_at": "2019-01-18T22:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.",
  "id": "GHSA-8222-6fc8-mhvf",
  "modified": "2021-06-15T16:59:20Z",
  "published": "2019-01-25T16:18:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3773"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-8222-6fc8-mhvf"
    },
    {
      "type": "WEB",
      "url": "https://pivotal.io/security/cve-2019-3773"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujul2021.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Vulnerability that affects org.springframework.ws:spring-ws and org.springframework.ws:spring-xml"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.