gsd-2019-3773
Vulnerability from gsd
Modified
2023-12-13 01:24
Details
Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2019-3773",
"description": "Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.",
"id": "GSD-2019-3773",
"references": [
"https://access.redhat.com/errata/RHSA-2020:5568"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2019-3773"
],
"details": "Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.",
"id": "GSD-2019-3773",
"modified": "2023-12-13T01:24:03.170840Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secure@dell.com",
"DATE_PUBLIC": "2019-01-15T20:30:17.000Z",
"ID": "CVE-2019-3773",
"STATE": "PUBLIC",
"TITLE": "Spring Web Services XML External Entity Injection (XXE) "
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Spring Web Services",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_name": "3.0",
"version_value": "v3.0.4.RELEASE"
},
{
"affected": "\u003c",
"version_name": "2.4",
"version_value": "v2.4.3.RELEASE"
}
]
}
}
]
},
"vendor_name": "Spring"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources."
}
]
},
"impact": null,
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-611: XML External Entities (XXE)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.oracle.com/security-alerts/cpujan2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"name": "https://pivotal.io/security/cve-2019-3773",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2019-3773"
},
{
"name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"name": "https://www.oracle.com//security-alerts/cpujul2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20231227-0011/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20231227-0011/"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "(,2.4.4),[3.0.0,3.0.4]",
"affected_versions": "All versions before 2.4.4, all versions starting from 3.0.0 up to 3.0.4",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-611",
"CWE-937"
],
"date": "2021-06-15",
"description": "Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.",
"fixed_versions": [
"2.4.4",
"3.0.6"
],
"identifier": "CVE-2019-3773",
"identifiers": [
"GHSA-8222-6fc8-mhvf",
"CVE-2019-3773"
],
"not_impacted": "All versions starting from 2.4.4 before 3.0.0, all versions after 3.0.4",
"package_slug": "maven/org.springframework.ws/spring-ws",
"pubdate": "2019-01-25",
"solution": "Upgrade to versions 2.4.4, 3.0.6 or above.",
"title": "Improper Restriction of XML External Entity Reference",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2019-3773",
"https://github.com/advisories/GHSA-8222-6fc8-mhvf",
"https://pivotal.io/security/cve-2019-3773"
],
"uuid": "c45349e2-d87e-4714-bef8-738731512452"
},
{
"affected_range": "(,2.4.4),[3.0.0,3.0.4]",
"affected_versions": "All versions before 2.4.4, all versions starting from 3.0.0 up to 3.0.4",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-611",
"CWE-937"
],
"date": "2021-06-15",
"description": "Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.",
"fixed_versions": [
"2.4.4",
"3.0.6"
],
"identifier": "CVE-2019-3773",
"identifiers": [
"GHSA-8222-6fc8-mhvf",
"CVE-2019-3773"
],
"not_impacted": "All versions starting from 2.4.4 before 3.0.0, all versions after 3.0.4",
"package_slug": "maven/org.springframework.ws/spring-xml",
"pubdate": "2019-01-25",
"solution": "Upgrade to versions 2.4.4, 3.0.6 or above.",
"title": "Improper Restriction of XML External Entity Reference",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2019-3773",
"https://github.com/advisories/GHSA-8222-6fc8-mhvf",
"https://pivotal.io/security/cve-2019-3773"
],
"uuid": "c5762580-1904-435a-9ea9-7bed0d6499cc"
}
]
},
"nvd.nist.gov": {
"cve": {
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pivotal_software:spring_web_services:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DBDE91A6-D7B0-43B7-B8E2-3342DD172AAB",
"versionEndIncluding": "2.4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pivotal_software:spring_web_services:*:*:*:*:*:*:*:*",
"matchCriteriaId": "76CE1C67-4622-46D4-9CD3-258F32520325",
"versionEndIncluding": "3.0.4",
"versionStartIncluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*",
"matchCriteriaId": "021014B2-DC51-481C-BCFE-5857EFBDEDDA",
"versionEndIncluding": "8.1.0",
"versionStartIncluding": "8.0.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6762F207-93C7-4363-B2F9-7A7C6F8AF993",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1B74B912-152D-4F38-9FC1-741D6D0B27FC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources."
},
{
"lang": "es",
"value": "Spring Web Services, en sus versiones 2.4.3, 3.0.4 y anteriores no soportadas de los tres proyectos, era susceptible a inyecciones XEE (XML External Entity) cuando recib\u00eda datos XML de fuentes no fiables."
}
],
"id": "CVE-2019-3773",
"lastModified": "2023-12-27T15:15:44.890",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-01-18T22:29:01.020",
"references": [
{
"source": "security_alert@emc.com",
"tags": [
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2019-3773"
},
{
"source": "security_alert@emc.com",
"url": "https://security.netapp.com/advisory/ntap-20231227-0011/"
},
{
"source": "security_alert@emc.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"source": "security_alert@emc.com",
"tags": [
"Not Applicable"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"source": "security_alert@emc.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
}
],
"sourceIdentifier": "security_alert@emc.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-611"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-611"
}
],
"source": "security_alert@emc.com",
"type": "Secondary"
}
]
}
}
}
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.