Description

Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.

Remediation

References

https://pivotal.io/security/cve-2019-3773

https://www.oracle.com/security-alerts/cpujan2021.html

https://www.oracle.com/security-alerts/cpuApr2021.html

https://www.oracle.com//security-alerts/cpujul2021.html

https://security.netapp.com/advisory/ntap-20231227-0011/

Related Vulnerabilities

CVE-2014-0119 Vulnerability in maven package org.apache.tomcat:tomcat-util

CVE-2018-15494 Vulnerability in maven package org.webjars.bowergithub.dojo:dojox

CVE-2018-11804 Vulnerability in maven package org.apache.spark:spark-core_2.10

CVE-2020-1695 Vulnerability in maven package org.jboss.resteasy:resteasy-jaxrs

CVE-2022-25205 Vulnerability in maven package org.jenkins-ci.plugins:dbcharts

Severity

Critical

Classification

CWE-611 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory Patch Third Party Advisory Not Applicable