First published: Fri Jan 18 2019(Updated: )
Spring Integration (spring-integration-xml and spring-integration-ws modules), versions 4.3.18, 5.0.10, 5.1.1, and older unsupported versions, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.
Credit: security_alert@emc.com security_alert@emc.com
Affected Software | Affected Version | How to fix |
---|---|---|
Vmware Spring Integration | <=4.3.18 | |
Vmware Spring Integration | >=5.0.0<=5.0.10 | |
Vmware Spring Integration | >=5.1.0<=5.1.1 | |
Oracle Retail Customer Management and Segmentation Foundation | =16.0 | |
Oracle Retail Customer Management and Segmentation Foundation | =17.0 | |
Oracle Retail Customer Management and Segmentation Foundation | =18.0 | |
maven/org.springframework.integration:spring-integration-ws | >=5.1.0<5.1.2 | 5.1.2 |
maven/org.springframework.integration:spring-integration-ws | >=5.0.0<5.0.11 | 5.0.11 |
maven/org.springframework.integration:spring-integration-ws | <4.3.19 | 4.3.19 |
maven/org.springframework.integration:spring-integration-xml | >=5.1.0<5.1.2 | 5.1.2 |
maven/org.springframework.integration:spring-integration-xml | >=5.0.0<5.0.11 | 5.0.11 |
maven/org.springframework.integration:spring-integration-xml | <4.3.19 | 4.3.19 |
<=4.3.18 | ||
>=5.0.0<=5.0.10 | ||
>=5.1.0<=5.1.1 | ||
=16.0 | ||
=17.0 | ||
=18.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-3772 is a vulnerability in the Spring Integration (spring-integration-xml and spring-integration-ws modules) software which allows XML External Entity Injection (XXE) when receiving XML data from untrusted sources.
The severity of CVE-2019-3772 is critical with a severity score of 9.8 out of 10.
Versions 4.3.18, 5.0.10, 5.1.1, and older unsupported versions of Spring Integration (spring-integration-xml and spring-integration-ws modules) are affected by CVE-2019-3772.
In CVE-2019-3772, XML External Entity Injection (XXE) can be exploited by sending XML data from untrusted sources, which may cause the application to load external entities and disclose internal files or perform server-side request forgery (SSRF) attacks.
You can find more information about CVE-2019-3772 at the following references: [SecurityFocus](http://www.securityfocus.com/bid/106749), [Pivotal](https://pivotal.io/security/cve-2019-3772), [Oracle](https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html).