1. CVE-Search
  2. CVE-2019-3773
ID CVE-2019-3773
Summary Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.
References
Vulnerable Configurations
  • cpe:2.3:a:pivotal_software:spring_web_services:0.9:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:0.9:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:0.9.1:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:0.9.1:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:1.0.0:-:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:1.0.0:-:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:1.0.0:milestone1:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:1.0.0:milestone1:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:1.0.0:milestone2:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:1.0.0:milestone2:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:1.0.0:milestone3:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:1.0.0:milestone3:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:1.0.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:1.0.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:1.0.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:1.0.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:1.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:1.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:1.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:1.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:1.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:1.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:1.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:1.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:1.5.0:-:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:1.5.0:-:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:1.5.0:milestone1:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:1.5.0:milestone1:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:1.5.0:milestone2:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:1.5.0:milestone2:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:1.5.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:1.5.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:1.5.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:1.5.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:1.5.1:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:1.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:1.5.2:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:1.5.2:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:1.5.3:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:1.5.3:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:1.5.4:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:1.5.4:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:1.5.5:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:1.5.5:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:1.5.6:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:1.5.6:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:1.5.7:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:1.5.7:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:1.5.8:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:1.5.8:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:1.5.9:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:1.5.9:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:1.5.10:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:1.5.10:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:2.0.0:-:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:2.0.0:-:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:2.0.0:milestone1:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:2.0.0:milestone1:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:2.0.0:milestone2:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:2.0.0:milestone2:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:2.0.0:milestone3:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:2.0.0:milestone3:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:2.0.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:2.0.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:2.0.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:2.0.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:2.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:2.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:2.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:2.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:2.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:2.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:2.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:2.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:2.0.5:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:2.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:2.1.0:-:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:2.1.0:-:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:2.1.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:2.1.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:2.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:2.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:2.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:2.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:2.1.3:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:2.1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:2.1.4:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:2.1.4:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:2.2.0:-:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:2.2.0:-:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:2.2.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:2.2.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:2.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:2.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:2.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:2.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:2.2.3:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:2.2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:2.2.4:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:2.2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:2.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:2.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:2.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:2.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:2.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:2.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:2.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:2.4.2:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:2.4.2:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:2.4.3:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:2.4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:3.0.0:-:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:3.0.0:-:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:3.0.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:3.0.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:3.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:3.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:3.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:3.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:3.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:3.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:pivotal_software:spring_web_services:3.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:pivotal_software:spring_web_services:3.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.8:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.8.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.8.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.9:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.9:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.9.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.9.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.0:*:*:*:*:*:*:*
CVSS
Base: 7.5 (as of 27-12-2023 - 15:15)
Impact:
Exploitability:
CWE CWE-611
CAPEC
  • XML External Entities Blowup
    This attack takes advantage of the entity replacement property of XML where the value of the replacement is a URI. A well-crafted XML document could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
refmap via4
confirm https://pivotal.io/security/cve-2019-3773
misc https://www.oracle.com/security-alerts/cpujan2021.html
Last major update 27-12-2023 - 15:15
Published 18-01-2019 - 22:29
Last modified 27-12-2023 - 15:15
Back to Top