Description

Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.

Remediation

References

https://pivotal.io/security/cve-2019-3773

https://security.netapp.com/advisory/ntap-20231227-0011/

https://www.oracle.com//security-alerts/cpujul2021.html

https://www.oracle.com/security-alerts/cpuApr2021.html

https://www.oracle.com/security-alerts/cpujan2021.html

Related Vulnerabilities

CVE-2022-29172 Vulnerability in maven package org.webjars.bower:auth0-lock

CVE-2022-36894 Vulnerability in maven package org.jenkins-ci.plugins:clif-performance-testing

CVE-2021-38153 Vulnerability in maven package org.apache.kafka:kafka-clients

CVE-2023-38704 Vulnerability in npm package import-in-the-middle

CVE-2021-31403 Vulnerability in maven package com.vaadin:vaadin-server

Severity

Critical

Classification

CWE-611 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory Patch Third Party Advisory Not Applicable