CVE-2019-3772

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2019-3772

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-3772.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-3772

Aliases

GHSA-wr5r-m8pc-85j9

Published

2019-01-18T22:29:00.973Z

Modified

2026-04-10T04:18:08.445748Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Spring Integration (spring-integration-xml and spring-integration-ws modules), versions 4.3.18, 5.0.10, 5.1.1, and older unsupported versions, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.

References

Affected packages

Git / github.com/spring-projects/spring-integration

Affected ranges

Type

GIT

Repo

https://github.com/spring-projects/spring-integration

Events

Introduced

Last affected

0c8a0076a97c3f7a8cb5a8e072ed9f0aaebd9964

Introduced

7072beab20ff99a7c209bedfdb578b0ab45bbac4

Last affected

0fd9321ec8f026ab424ac768e9a843934d381c21

Introduced

3c4529e6cd3feb731f060f4822e9682b9244cfea

Last affected

b047b8d9bb0da79765fe862927273aa6ccadb546

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "4.3.18"
        },
        {
            "introduced": "5.0.0"
        },
        {
            "last_affected": "5.0.10"
        },
        {
            "introduced": "5.1.0"
        },
        {
            "last_affected": "5.1.1"
        }
    ]
}

Affected versions

v2.*

v2.0.0.RC1

v2.0.0.RC2

v2.0.0.RELEASE

v2.0.1.RELEASE

v2.0.2.RELEASE

v2.0.3.RELEASE

v2.0.4.RELEASE

v2.0.5.RELEASE

v2.1.0.M1

v2.1.0.M2

v2.1.0.M3

v2.1.0.RC1

v2.1.0.RC2

v2.1.0.RELEASE

v2.1.1.RELEASE

v2.2.0.M1

v2.2.0.M2

v2.2.0.M3

v2.2.0.M3.SPRINT1

v2.2.0.M3.SPRINT2

v2.2.0.M3.SPRINT3

v2.2.0.M4

v2.2.0.M4.SPRINT1

v2.2.0.M4.SPRINT2

v2.2.0.M4.SPRINT3

v2.2.0.RC1

v2.2.0.RC2

v2.2.0.RC3

v2.2.0.RELEASE

v2.2.1b.RELEASE

v3.*

v3.0.0.M1

v3.0.0.M2

v3.0.0.M3

v4.*

v4.0.0.M2

v4.0.0.M3

v4.0.0.M4

v4.0.0.RC1

v4.0.0.RELEASE

v4.0.1.RELEASE

v4.0.2.RELEASE

v4.1.0.M1

v4.1.0.RC1

v4.1.0.RELEASE

v4.1.1.RELEASE

v4.1.2.RELEASE

v4.2.0.M1

v4.2.0.M2

v4.2.0.RC1

v4.2.0.RELEASE

v4.2.1.RELEASE

v4.2.2.RELEASE

v4.3.0.M1

v4.3.0.M2

v4.3.0.RC1

v4.3.0.RELEASE

v4.3.1.RELEASE

v4.3.10.RELEASE

v4.3.11.RELEASE

v4.3.12.RELEASE

v4.3.13.RELEASE

v4.3.14.RELEASE

v4.3.15.RELEASE

v4.3.16.RELEASE

v4.3.17.RELEASE

v4.3.18.RELEASE

v4.3.2.RELEASE

v4.3.3.RELEASE

v4.3.4.RELEASE

v4.3.5.RELEASE

v4.3.6.RELEASE

v4.3.7.RELEASE

v4.3.8.RELEASE

v4.3.9.RELEASE

v5.*

v5.0.0.RELEASE

v5.0.1.RELEASE

v5.0.10.RELEASE

v5.0.2.RELEASE

v5.0.3.RELEASE

v5.0.4.RELEASE

v5.0.5.RELEASE

v5.0.6.RELEASE

v5.0.7.RELEASE

v5.0.8.RELEASE

v5.0.9.RELEASE

v5.1.0.RELEASE

v5.1.1.RELEASE

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-3772.json"

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "16.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "17.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "18.0"
            }
        ]
    }
]