CVE-2019-3772

CRITICAL

Spring Integration < 4.3.18 - XML External Entity Injection

Title source: llm

Description

Spring Integration (spring-integration-xml and spring-integration-ws modules), versions 4.3.18, 5.0.10, 5.1.1, and older unsupported versions, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.

References (3)

Core 3

Core References

Mitigation, Vendor Advisory x_refsource_confirm

https://pivotal.io/security/cve-2019-3772

Patch x_refsource_misc

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/106749

Scores

CVSS v3 9.8

EPSS 0.0172

EPSS Percentile 82.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-611

Status published

Products (6)

oracle/retail_customer_management_and_segmentation_foundation 16.0

oracle/retail_customer_management_and_segmentation_foundation 17.0

oracle/retail_customer_management_and_segmentation_foundation 18.0

org.springframework.integration/spring-integration-ws 0 - 4.3.19Maven

org.springframework.integration/spring-integration-xml 0 - 4.3.19Maven

vmware/spring_integration < 4.3.18

Published Jan 18, 2019

Tracked Since Feb 18, 2026