Description

Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.

Remediation

References

https://pivotal.io/security/cve-2019-3773

https://security.netapp.com/advisory/ntap-20231227-0011/

https://www.oracle.com//security-alerts/cpujul2021.html

https://www.oracle.com/security-alerts/cpuApr2021.html

https://www.oracle.com/security-alerts/cpujan2021.html

Related Vulnerabilities

CVE-2023-24187 Vulnerability in maven package com.bstek.ureport:ureport2-core

CVE-2023-33941 Vulnerability in maven package com.liferay:com.liferay.oauth2.provider.rest

CVE-2022-29894 Vulnerability in npm package strapi

CVE-2010-4207 Vulnerability in maven package org.webjars:yui

CVE-2023-1454 Vulnerability in maven package org.jeecgframework.boot:jeecg-boot-common

Severity

Critical

Classification

CWE-611 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory Patch Third Party Advisory Not Applicable