Spring Integration XML External Entity Injection (XXE)
CVE-2019-3772

9.8CRITICAL

Key Information:

Vendor: Spring
Status: Spring Integration
Vendor: CVE Published:; 18 January 2019

What is CVE-2019-3772?

Spring Integration (spring-integration-xml and spring-integration-ws modules), versions 4.3.18, 5.0.10, 5.1.1, and older unsupported versions, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.

Affected Version(s)

Spring Integration 5.0

Spring Integration 5.1

Spring Integration 4.3

References

https://pivotal.io/security/cve-2019-3772

x_refsource_CONFIRM

https://www.oracle.com/technetwork/security-advisory/cpua...

x_refsource_MISC

http://www.securityfocus.com/bid/106749

vdb-entryx_refsource_BID

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 18, 2019
Vulnerability Reserved
Jan 3, 2019