Exploitation Summary
EIP tracks 1 public exploit for CVE-2019-13990. PoCs published by epicosy.
AI-analyzed exploit summary The repository contains example code from the Quartz scheduler library but lacks any exploit code or technical analysis related to CVE-2019-13990. The files are standard examples and do not demonstrate the vulnerability.
Description
initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.
Exploits (1)
nomisec
STUB
by epicosy · poc
https://github.com/epicosy/Quartz-1
The repository contains example code from the Quartz scheduler library but lacks any exploit code or technical analysis related to CVE-2019-13990. The files are standard examples and do not demonstrate the vulnerability.
Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target:
Quartz Scheduler
No auth needed
devstral-2 · analyzed Feb 18, 2026
Full analysis →
References (17)
Core 17
Core References
Issue Tracking mailing-list
https://lists.apache.org/thread.html/e493e718a50f21201e05e82d42a8796b4046e83f0d286b90e58e0629%40%3Cdev.tomee.apache.org%3E
Issue Tracking mailing-list
https://lists.apache.org/thread.html/1870324fea41ea68cff2fd1bf6ee2747432dc1d9d22a22cc681e0ec3%40%3Cdev.tomee.apache.org%3E
Issue Tracking mailing-list
https://lists.apache.org/thread.html/6b6e3480b19856365fb5eef03aa0915a4679de4b019a1e975502d949%40%3Cdev.tomee.apache.org%3E
Patch mailing-list
https://lists.apache.org/thread.html/f74b170d3d58d7a24db1afd3908bb0ab58a3900e16e73275674cdfaf%40%3Ccommits.tomee.apache.org%3E
Third Party Advisory mailing-list
https://lists.apache.org/thread.html/172d405e556e2f1204be126bb3eb28c5115af91bcc1651b4e870bb82%40%3Cdev.tomee.apache.org%3E
Issue Tracking mailing-list
https://lists.apache.org/thread.html/re9b56ac1934d7bf16afc83eac1c39c98c1b20b4b15891dce923bf8aa%40%3Ccommits.tomee.apache.org%3E
Issue Tracking mailing-list
https://lists.apache.org/thread.html/r3a6884e8d819f32cde8c07b98934de3e80467859880f784950bf44cf%40%3Ccommits.tomee.apache.org%3E
Patch mailing-list
https://lists.apache.org/thread.html/r21df13c8bd2c2eae4b9661aae814c4a2a814d1f7875c765b8b115c9a%40%3Ccommits.tomee.apache.org%3E
Issue Tracking, Third Party Advisory
https://github.com/quartz-scheduler/quartz/issues/467
Third Party Advisory
https://security.netapp.com/advisory/ntap-20221028-0002/
Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html
Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.html
Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html
Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html
Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html
Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html
Scores
CVSS v3
9.8
EPSS
0.1347
EPSS Percentile
94.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-611
Status
published
Products (26)
apache/tomee
7.1.3
atlassian/jira_service_management
4.20.0 (2 CPE variants)
atlassian/jira_service_management
4.20.1 (2 CPE variants)
atlassian/jira_service_management
4.20.2 (2 CPE variants)
atlassian/jira_service_management
4.20.3 (2 CPE variants)
atlassian/jira_service_management
4.20.4 (2 CPE variants)
atlassian/jira_service_management
4.20.5 (2 CPE variants)
atlassian/jira_service_management
4.20.6 (2 CPE variants)
atlassian/jira_service_management
4.20.7 (2 CPE variants)
atlassian/jira_service_management
4.20.8 (2 CPE variants)
... and 16 more
Published
Jul 26, 2019
Tracked Since
Feb 18, 2026