Description

Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.

Remediation

References

https://pivotal.io/security/cve-2019-3773

https://security.netapp.com/advisory/ntap-20231227-0011/

https://www.oracle.com//security-alerts/cpujul2021.html

https://www.oracle.com/security-alerts/cpuApr2021.html

https://www.oracle.com/security-alerts/cpujan2021.html

Related Vulnerabilities

CVE-2021-30181 Vulnerability in maven package org.apache.dubbo:dubbo

CVE-2023-36542 Vulnerability in maven package org.apache.nifi:nifi-jms-processors

CVE-2023-3308 Vulnerability in maven package com.whaleal.icefrog:icefrog-all

CVE-2019-12399 Vulnerability in maven package org.apache.kafka:kafka

CVE-2018-1000191 Vulnerability in maven package com.blackducksoftware.integration:blackduck-detect

Severity

Critical

Classification

CWE-611 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory Patch Third Party Advisory Not Applicable