Description

Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.

Remediation

References

https://pivotal.io/security/cve-2019-3773

https://security.netapp.com/advisory/ntap-20231227-0011/

https://www.oracle.com//security-alerts/cpujul2021.html

https://www.oracle.com/security-alerts/cpuApr2021.html

https://www.oracle.com/security-alerts/cpujan2021.html

Related Vulnerabilities

CVE-2013-4517 Vulnerability in maven package xml-security:xmlsec

CVE-2014-3579 Vulnerability in maven package org.apache.activemq:apollo-selector

CVE-2023-29209 Vulnerability in maven package org.xwiki.platform:xwiki-platform-legacy-notification-activitymacro

CVE-2017-1000006 Vulnerability in maven package org.webjars.bowergithub.plotly:plotly.js

CVE-2023-31579 Vulnerability in maven package top.tangyh.basic:lamp-util

Severity

Critical

Classification

CWE-611 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory Patch Third Party Advisory Not Applicable