Description

Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.

Remediation

References

https://pivotal.io/security/cve-2019-3773

https://www.oracle.com/security-alerts/cpujan2021.html

https://www.oracle.com/security-alerts/cpuApr2021.html

https://www.oracle.com//security-alerts/cpujul2021.html

https://security.netapp.com/advisory/ntap-20231227-0011/

Related Vulnerabilities

CVE-2011-5057 Vulnerability in maven package org.apache.struts:struts2-core

CVE-2023-33940 Vulnerability in maven package com.liferay:com.liferay.client.extension.type.impl

CVE-2016-5393 Vulnerability in maven package org.apache.hadoop:hadoop-common

CVE-2023-36472 Vulnerability in npm package @strapi/admin

CVE-2020-13928 Vulnerability in maven package org.apache.atlas:apache-atlas

Severity

Critical

Classification

CWE-611 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory Patch Third Party Advisory Not Applicable