Description

Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.

Remediation

References

https://pivotal.io/security/cve-2019-3773

https://security.netapp.com/advisory/ntap-20231227-0011/

https://www.oracle.com//security-alerts/cpujul2021.html

https://www.oracle.com/security-alerts/cpuApr2021.html

https://www.oracle.com/security-alerts/cpujan2021.html

Related Vulnerabilities

CVE-2023-33201 Vulnerability in maven package org.bouncycastle:bcprov-debug-jdk18on

CVE-2016-4461 Vulnerability in maven package org.apache.struts.xwork:xwork-core

CVE-2022-42735 Vulnerability in maven package org.apache.shenyu:shenyu-admin

CVE-2022-24615 Vulnerability in maven package net.lingala.zip4j:zip4j

CVE-2019-10475 Vulnerability in maven package org.jenkins-ci.plugins:build-metrics

Severity

Critical

Classification

CWE-611 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory Patch Third Party Advisory Not Applicable