CVE-2019-3773 – org.springframework.ws:spring-ws

Package

Manager: maven
Name: org.springframework.ws:spring-ws
Vulnerable Version: >=0 <2.4.4 || >=3.0.0 <=3.0.4

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00311 pctl0.53672

Details

Vulnerability that affects org.springframework.ws:spring-ws and org.springframework.ws:spring-xml Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.

Metadata

Created: 2019-01-25T16:18:52Z
Modified: 2021-06-15T16:59:20Z
Source: MANUAL
CWE IDs: ["CWE-611"]
Alternative ID: GHSA-8222-6fc8-mhvf
Finding: F083
Auto approve: 1