CVE-2019-13990: XEE
First published: Fri Jul 26 2019(Updated: )
initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/rhvm-dependencies | <0:4.4.0-1.el8e | 0:4.4.0-1.el8e |
| IBM Data Risk Manager | <=2.0.6 | |
| maven/org.quartz-scheduler:quartz | <2.3.2 | 2.3.2 |
| redhat/quartz | <2.3.2 | 2.3.2 |
| Softwareag Quartz | <2.3.2 | |
| Oracle Apache Batik Mapviewer | =12.2.0.1 | |
| Oracle Apache Batik Mapviewer | =18c | |
| Oracle Apache Batik Mapviewer | =19c | |
| Oracle Banking Enterprise Originations | =2.7.0 | |
| Oracle Banking Enterprise Originations | =2.8.0 | |
| Oracle Banking Enterprise Product Manufacturing | =2.7.0 | |
| Oracle Banking Enterprise Product Manufacturing | =2.8.0 | |
| Oracle Banking Payments | >=14.1.0<=14.4.0 | |
| Oracle Communications Ip Service Activator | =7.3.0 | |
| Oracle Communications Ip Service Activator | =7.4.0 | |
| Oracle Communications Session Route Manager | >=8.2.0<=8.2.2 | |
| Oracle Customer Management And Segmentation Foundation | =18.0 | |
| Oracle Documaker | >=12.6.0<=12.6.4 | |
| Oracle Enterprise Manager Base Platform | =13.2.1.0 | |
| Oracle Enterprise Manager Ops Center | =12.4.0.0 | |
| Oracle FLEXCUBE Investor Servicing | =12.1.0 | |
| Oracle FLEXCUBE Investor Servicing | =12.3.0 | |
| Oracle FLEXCUBE Investor Servicing | =12.4.0 | |
| Oracle FLEXCUBE Investor Servicing | =14.1.0 | |
| Oracle FLEXCUBE Investor Servicing | =14.4.0 | |
| Oracle FLEXCUBE Private Banking | =12.0.0 | |
| Oracle FLEXCUBE Private Banking | =12.1.0 | |
| Oracle Fusion Middleware MapViewer | =12.2.1.3.0 | |
| Oracle Google Guava Mapviewer | =12.2.0.1 | |
| Oracle Google Guava Mapviewer | =18c | |
| Oracle Google Guava Mapviewer | =19c | |
| Oracle Hyperion Infrastructure Technology | =11.1.2.4 | |
| Oracle Jd Edwards Enterpriseone Orchestrator | <=9.2.5.3 | |
| Oracle Primavera Unifier | >=17.7<=17.12 | |
| Oracle Primavera Unifier | =16.1 | |
| Oracle Primavera Unifier | =16.2 | |
| Oracle Primavera Unifier | =18.8 | |
| Oracle Retail Back Office | =14.1 | |
| Oracle Retail Central Office | =14.1 | |
| Oracle Retail Integration Bus | =15.0 | |
| Oracle Retail Integration Bus | =16.0 | |
| Oracle Retail Order Broker | =15.0 | |
| Oracle Retail Order Broker | =16.0 | |
| Oracle Retail Order Broker | =18.0 | |
| Oracle Retail Order Broker | =19.0 | |
| Oracle Retail Point-of-Service | =14.1 | |
| Oracle Retail Returns Management | =14.1 | |
| Oracle Retail Xstore Point of Service | =15.0 | |
| Oracle Retail Xstore Point of Service | =16.0 | |
| Oracle Retail Xstore Point of Service | =17.0 | |
| Oracle Retail Xstore Point of Service | =18.0 | |
| Oracle Retail Xstore Point of Service | =19.0 | |
| Oracle Terracotta Quartz Scheduler Mapviewer | =12.2.0.1 | |
| Oracle Terracotta Quartz Scheduler Mapviewer | =18c | |
| Oracle Terracotta Quartz Scheduler Mapviewer | =19c | |
| Oracle WebCenter Sites | =12.2.1.3.0 | |
| Oracle WebCenter Sites | =12.2.1.4.0 | |
| Apache TomEE | =7.1.3 | |
| Netapp Active Iq Unified Manager Linux | ||
| Netapp Active Iq Unified Manager Vmware Vsphere | ||
| Netapp Active Iq Unified Manager Windows | ||
| Netapp Cloud Secure Agent | ||
| Atlassian Jira Service Management | =4.20.0 | |
| Atlassian Jira Service Management | =4.20.0 | |
| Atlassian Jira Service Management | =4.20.1 | |
| Atlassian Jira Service Management | =4.20.1 | |
| Atlassian Jira Service Management | =4.20.2 | |
| Atlassian Jira Service Management | =4.20.2 | |
| Atlassian Jira Service Management | =4.20.3 | |
| Atlassian Jira Service Management | =4.20.3 | |
| Atlassian Jira Service Management | =4.20.4 | |
| Atlassian Jira Service Management | =4.20.4 | |
| Atlassian Jira Service Management | =4.20.5 | |
| Atlassian Jira Service Management | =4.20.5 | |
| Atlassian Jira Service Management | =4.20.6 | |
| Atlassian Jira Service Management | =4.20.6 | |
| Atlassian Jira Service Management | =4.20.7 | |
| Atlassian Jira Service Management | =4.20.7 | |
| Atlassian Jira Service Management | =4.20.8 | |
| Atlassian Jira Service Management | =4.20.8 | |
| Atlassian Jira Service Management | =4.20.9 | |
| Atlassian Jira Service Management | =4.20.9 | |
| Atlassian Jira Service Management | =4.20.10 | |
| Atlassian Jira Service Management | =4.20.10 | |
| Atlassian Jira Service Management | =4.20.11 | |
| Atlassian Jira Service Management | =4.20.11 | |
| Atlassian Jira Service Management | =4.20.12 | |
| Atlassian Jira Service Management | =4.20.12 | |
| Atlassian Jira Service Management | =4.20.13 | |
| Atlassian Jira Service Management | =4.20.13 | |
| Atlassian Jira Service Management | =4.20.14 | |
| Atlassian Jira Service Management | =4.20.14 | |
| Atlassian Jira Service Management | =4.20.15 | |
| Atlassian Jira Service Management | =4.20.15 | |
| Atlassian Jira Service Management | =4.20.16 | |
| Atlassian Jira Service Management | =4.20.16 | |
| Atlassian Jira Service Management | =4.20.17 | |
| Atlassian Jira Service Management | =4.20.17 | |
| Atlassian Jira Service Management | =4.20.18 | |
| Atlassian Jira Service Management | =4.20.18 | |
| Atlassian Jira Service Management | =4.20.19 | |
| Atlassian Jira Service Management | =4.20.19 | |
| Atlassian Jira Service Management | =4.20.20 | |
| Atlassian Jira Service Management | =4.20.20 | |
| Atlassian Jira Service Management | =4.20.21 | |
| Atlassian Jira Service Management | =4.20.21 | |
| Atlassian Jira Service Management | =4.20.22 | |
| Atlassian Jira Service Management | =4.20.22 | |
| Atlassian Jira Service Management | =4.20.23 | |
| Atlassian Jira Service Management | =4.20.23 | |
| Atlassian Jira Service Management | =4.20.24 | |
| Atlassian Jira Service Management | =4.20.24 | |
| Atlassian Jira Service Management | =4.20.25 | |
| Atlassian Jira Service Management | =4.20.25 | |
| Atlassian Jira Service Management | =4.21.0 | |
| Atlassian Jira Service Management | =4.21.0 | |
| Atlassian Jira Service Management | =4.21.1 | |
| Atlassian Jira Service Management | =4.21.1 | |
| Atlassian Jira Service Management | =4.22.0 | |
| Atlassian Jira Service Management | =4.22.0 | |
| Atlassian Jira Service Management | =4.22.1 | |
| Atlassian Jira Service Management | =4.22.1 | |
| Atlassian Jira Service Management | =4.22.2 | |
| Atlassian Jira Service Management | =4.22.2 | |
| Atlassian Jira Service Management | =4.22.3 | |
| Atlassian Jira Service Management | =4.22.3 | |
| Atlassian Jira Service Management | =4.22.4 | |
| Atlassian Jira Service Management | =4.22.4 | |
| Atlassian Jira Service Management | =4.22.6 | |
| Atlassian Jira Service Management | =4.22.6 | |
| Atlassian Jira Service Management | =5.0.0 | |
| Atlassian Jira Service Management | =5.0.0 | |
| Atlassian Jira Service Management | =5.1.0 | |
| Atlassian Jira Service Management | =5.1.0 | |
| Atlassian Jira Service Management | =5.1.1 | |
| Atlassian Jira Service Management | =5.1.1 | |
| Atlassian Jira Service Management | =5.2.0 | |
| Atlassian Jira Service Management | =5.2.0 | |
| Atlassian Jira Service Management | =5.2.1 | |
| Atlassian Jira Service Management | =5.2.1 | |
| Atlassian Jira Service Management | =5.3.0 | |
| Atlassian Jira Service Management | =5.3.0 | |
| Atlassian Jira Service Management | =5.3.1 | |
| Atlassian Jira Service Management | =5.3.1 | |
| Atlassian Jira Service Management | =5.3.2 | |
| Atlassian Jira Service Management | =5.3.2 | |
| Atlassian Jira Service Management | =5.3.3 | |
| Atlassian Jira Service Management | =5.3.3 | |
| Atlassian Jira Service Management | =5.4.0 | |
| Atlassian Jira Service Management | =5.4.0 | |
| Atlassian Jira Service Management | =5.4.1 | |
| Atlassian Jira Service Management | =5.4.1 | |
| Atlassian Jira Service Management | =5.4.2 | |
| Atlassian Jira Service Management | =5.4.2 | |
| Atlassian Jira Service Management | =5.4.3 | |
| Atlassian Jira Service Management | =5.4.3 | |
| Atlassian Jira Service Management | =5.4.4 | |
| Atlassian Jira Service Management | =5.4.4 | |
| Atlassian Jira Service Management | =5.4.5 | |
| Atlassian Jira Service Management | =5.4.5 | |
| Atlassian Jira Service Management | =5.4.6 | |
| Atlassian Jira Service Management | =5.4.6 | |
| Atlassian Jira Service Management | =5.4.7 | |
| Atlassian Jira Service Management | =5.4.7 | |
| Atlassian Jira Service Management | =5.4.8 | |
| Atlassian Jira Service Management | =5.4.8 | |
| Atlassian Jira Service Management | =5.4.9 | |
| Atlassian Jira Service Management | =5.4.9 | |
| Atlassian Jira Service Management | =5.5.1 | |
| Atlassian Jira Service Management | =5.5.1 | |
| Atlassian Jira Service Management | =5.6.0 | |
| Atlassian Jira Service Management | =5.6.0 | |
| Atlassian Jira Service Management | =5.7.0 | |
| Atlassian Jira Service Management | =5.7.0 | |
| Atlassian Jira Service Management | =5.7.1 | |
| Atlassian Jira Service Management | =5.7.1 | |
| Atlassian Jira Service Management | =5.8.0 | |
| Atlassian Jira Service Management | =5.8.0 | |
| Atlassian Jira Service Management | =5.8.1 | |
| Atlassian Jira Service Management | =5.8.1 | |
| Atlassian Jira Service Management | =5.9.0 | |
| Atlassian Jira Service Management | =5.9.0 | |
| Atlassian Jira Service Management | =5.10.0 | |
| Atlassian Jira Service Management | =5.10.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2019-13990
- https://github.com/quartz-scheduler/quartz/issues/467
- https://github.com/quartz-scheduler/quartz/pull/501
- https://github.com/quartz-scheduler/quartz/commit/13c1d45aa1db15d0fa0e4997139c99ba219be551
- https://snyk.io/vuln/SNYK-JAVA-ORGQUARTZSCHEDULER-461170
- https://lists.apache.org/thread.html/172d405e556e2f1204be126bb3eb28c5115af91bcc1651b4e870bb82@%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/1870324fea41ea68cff2fd1bf6ee2747432dc1d9d22a22cc681e0ec3@%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/6b6e3480b19856365fb5eef03aa0915a4679de4b019a1e975502d949@%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/e493e718a50f21201e05e82d42a8796b4046e83f0d286b90e58e0629@%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/f74b170d3d58d7a24db1afd3908bb0ab58a3900e16e73275674cdfaf@%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r21df13c8bd2c2eae4b9661aae814c4a2a814d1f7875c765b8b115c9a@%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r3a6884e8d819f32cde8c07b98934de3e80467859880f784950bf44cf@%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/re9b56ac1934d7bf16afc83eac1c39c98c1b20b4b15891dce923bf8aa@%3Ccommits.tomee.apache.org%3E
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://security.netapp.com/advisory/ntap-20221028-0002/
- https://confluence.atlassian.com/security/ssot-117-cve-2019-13990-xxe-xml-external-entity-injection-vulnerability-in-jira-service-management-data-center-and-jira-service-management-server-1295385959.html
- https://lists.apache.org/thread.html/172d405e556e2f1204be126bb3eb28c5115af91bcc1651b4e870bb82%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/1870324fea41ea68cff2fd1bf6ee2747432dc1d9d22a22cc681e0ec3%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/6b6e3480b19856365fb5eef03aa0915a4679de4b019a1e975502d949%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/e493e718a50f21201e05e82d42a8796b4046e83f0d286b90e58e0629%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/f74b170d3d58d7a24db1afd3908bb0ab58a3900e16e73275674cdfaf%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r21df13c8bd2c2eae4b9661aae814c4a2a814d1f7875c765b8b115c9a%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r3a6884e8d819f32cde8c07b98934de3e80467859880f784950bf44cf%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/re9b56ac1934d7bf16afc83eac1c39c98c1b20b4b15891dce923bf8aa%40%3Ccommits.tomee.apache.org%3E
- https://github.com/advisories/GHSA-9qcf-c26r-x5rf (Advisory)
- https://exchange.xforce.ibmcloud.com/vulnerabilities/165431
- https://www.ibm.com/support/pages/node/6335281 (Advisory)
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1814510
- https://access.redhat.com/errata/RHSA-2020:3196
- https://access.redhat.com/errata/RHSA-2020:3197
- https://access.redhat.com/security/cve/cve-2019-13990
- https://access.redhat.com/errata/RHSA-2020:3247
- https://access.redhat.com/errata/RHSA-2020:5568
- https://bugzilla.redhat.com/show_bug.cgi?id=1801149
- https://www.cve.org/CVERecord?id=CVE-2019-13990 https://nvd.nist.gov/vuln/detail/CVE-2019-13990
Parent vulnerabilities
(Appears in the following advisories)
- collector/redhat-cve
- collector/ibm-support
- collector/mitre-cve
- collector/github-advisory-latest
- alias/GHSA-9qcf-c26r-x5rf
- alias/CVE-2019-13990
- collector/github-advisory
- agent/first-publish-date
- agent/type
- agent/remedy
- agent/weakness
- agent/severity
- agent/author
- agent/description
- agent/references
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- collector/nvd-api
- package-manager/redhat
- vendor/ibm
- canonical/ibm data risk manager
- version/ibm data risk manager/2.0.6
- package-manager/maven
- vendor/softwareag
- canonical/softwareag quartz
- vendor/oracle
- canonical/oracle apache batik mapviewer
- version/oracle apache batik mapviewer/12.2.0.1
- version/oracle apache batik mapviewer/18c
- version/oracle apache batik mapviewer/19c
- canonical/oracle banking enterprise originations
- version/oracle banking enterprise originations/2.7.0
- version/oracle banking enterprise originations/2.8.0
- canonical/oracle banking enterprise product manufacturing
- version/oracle banking enterprise product manufacturing/2.7.0
- version/oracle banking enterprise product manufacturing/2.8.0
- canonical/oracle banking payments
- version/oracle banking payments/14.1.0
- version/oracle banking payments/14.4.0
- canonical/oracle communications ip service activator
- version/oracle communications ip service activator/7.3.0
- version/oracle communications ip service activator/7.4.0
- canonical/oracle communications session route manager
- version/oracle communications session route manager/8.2.0
- version/oracle communications session route manager/8.2.2
- canonical/oracle customer management and segmentation foundation
- version/oracle customer management and segmentation foundation/18.0
- canonical/oracle documaker
- version/oracle documaker/12.6.0
- version/oracle documaker/12.6.4
- canonical/oracle enterprise manager base platform
- version/oracle enterprise manager base platform/13.2.1.0
- canonical/oracle enterprise manager ops center
- version/oracle enterprise manager ops center/12.4.0.0
- canonical/oracle flexcube investor servicing
- version/oracle flexcube investor servicing/12.1.0
- version/oracle flexcube investor servicing/12.3.0
- version/oracle flexcube investor servicing/12.4.0
- version/oracle flexcube investor servicing/14.1.0
- version/oracle flexcube investor servicing/14.4.0
- canonical/oracle flexcube private banking
- version/oracle flexcube private banking/12.0.0
- version/oracle flexcube private banking/12.1.0
- canonical/oracle fusion middleware mapviewer
- version/oracle fusion middleware mapviewer/12.2.1.3.0
- canonical/oracle google guava mapviewer
- version/oracle google guava mapviewer/12.2.0.1
- version/oracle google guava mapviewer/18c
- version/oracle google guava mapviewer/19c
- canonical/oracle hyperion infrastructure technology
- version/oracle hyperion infrastructure technology/11.1.2.4
- canonical/oracle jd edwards enterpriseone orchestrator
- version/oracle jd edwards enterpriseone orchestrator/9.2.5.3
- canonical/oracle primavera unifier
- version/oracle primavera unifier/17.7
- version/oracle primavera unifier/17.12
- version/oracle primavera unifier/16.1
- version/oracle primavera unifier/16.2
- version/oracle primavera unifier/18.8
- canonical/oracle retail back office
- version/oracle retail back office/14.1
- canonical/oracle retail central office
- version/oracle retail central office/14.1
- canonical/oracle retail integration bus
- version/oracle retail integration bus/15.0
- version/oracle retail integration bus/16.0
- canonical/oracle retail order broker
- version/oracle retail order broker/15.0
- version/oracle retail order broker/16.0
- version/oracle retail order broker/18.0
- version/oracle retail order broker/19.0
- canonical/oracle retail point-of-service
- version/oracle retail point-of-service/14.1
- canonical/oracle retail returns management
- version/oracle retail returns management/14.1
- canonical/oracle retail xstore point of service
- version/oracle retail xstore point of service/15.0
- version/oracle retail xstore point of service/16.0
- version/oracle retail xstore point of service/17.0
- version/oracle retail xstore point of service/18.0
- version/oracle retail xstore point of service/19.0
- canonical/oracle terracotta quartz scheduler mapviewer
- version/oracle terracotta quartz scheduler mapviewer/12.2.0.1
- version/oracle terracotta quartz scheduler mapviewer/18c
- version/oracle terracotta quartz scheduler mapviewer/19c
- canonical/oracle webcenter sites
- version/oracle webcenter sites/12.2.1.3.0
- version/oracle webcenter sites/12.2.1.4.0
- vendor/apache
- canonical/apache tomee
- version/apache tomee/7.1.3
- vendor/netapp
- canonical/netapp active iq unified manager linux
- canonical/netapp active iq unified manager vmware vsphere
- canonical/netapp active iq unified manager windows
- canonical/netapp cloud secure agent
- vendor/atlassian
- canonical/atlassian jira service management
- version/atlassian jira service management/4.20.0
- version/atlassian jira service management/4.20.1
- version/atlassian jira service management/4.20.2
- version/atlassian jira service management/4.20.3
- version/atlassian jira service management/4.20.4
- version/atlassian jira service management/4.20.5
- version/atlassian jira service management/4.20.6
- version/atlassian jira service management/4.20.7
- version/atlassian jira service management/4.20.8
- version/atlassian jira service management/4.20.9
- version/atlassian jira service management/4.20.10
- version/atlassian jira service management/4.20.11
- version/atlassian jira service management/4.20.12
- version/atlassian jira service management/4.20.13
- version/atlassian jira service management/4.20.14
- version/atlassian jira service management/4.20.15
- version/atlassian jira service management/4.20.16
- version/atlassian jira service management/4.20.17
- version/atlassian jira service management/4.20.18
- version/atlassian jira service management/4.20.19
- version/atlassian jira service management/4.20.20
- version/atlassian jira service management/4.20.21
- version/atlassian jira service management/4.20.22
- version/atlassian jira service management/4.20.23
- version/atlassian jira service management/4.20.24
- version/atlassian jira service management/4.20.25
- version/atlassian jira service management/4.21.0
- version/atlassian jira service management/4.21.1
- version/atlassian jira service management/4.22.0
- version/atlassian jira service management/4.22.1
- version/atlassian jira service management/4.22.2
- version/atlassian jira service management/4.22.3
- version/atlassian jira service management/4.22.4
- version/atlassian jira service management/4.22.6
- version/atlassian jira service management/5.0.0
- version/atlassian jira service management/5.1.0
- version/atlassian jira service management/5.1.1
- version/atlassian jira service management/5.2.0
- version/atlassian jira service management/5.2.1
- version/atlassian jira service management/5.3.0
- version/atlassian jira service management/5.3.1
- version/atlassian jira service management/5.3.2
- version/atlassian jira service management/5.3.3
- version/atlassian jira service management/5.4.0
- version/atlassian jira service management/5.4.1
- version/atlassian jira service management/5.4.2
- version/atlassian jira service management/5.4.3
- version/atlassian jira service management/5.4.4
- version/atlassian jira service management/5.4.5
- version/atlassian jira service management/5.4.6
- version/atlassian jira service management/5.4.7
- version/atlassian jira service management/5.4.8
- version/atlassian jira service management/5.4.9
- version/atlassian jira service management/5.5.1
- version/atlassian jira service management/5.6.0
- version/atlassian jira service management/5.7.0
- version/atlassian jira service management/5.7.1
- version/atlassian jira service management/5.8.0
- version/atlassian jira service management/5.8.1
- version/atlassian jira service management/5.9.0
- version/atlassian jira service management/5.10.0