GHSA-8222-6fc8-mhvf

Source

https://github.com/advisories/GHSA-8222-6fc8-mhvf

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-8222-6fc8-mhvf/GHSA-8222-6fc8-mhvf.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-8222-6fc8-mhvf

Aliases

CVE-2019-3773

Published

2019-01-25T16:18:52Z

Modified

2023-11-08T04:01:34.038846Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Vulnerability that affects org.springframework.ws:spring-ws and org.springframework.ws:spring-xml

Details

Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.

Database specific

{
    "nvd_published_at": "2019-01-18T22:29:00Z",
    "github_reviewed_at": "2020-06-16T21:23:54Z",
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-611"
    ]
}

References

Affected packages

Maven / org.springframework.ws:spring-ws

Package

Name: org.springframework.ws:spring-ws; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.ws/spring-ws

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.4

Affected versions

1.*

1.0-m2

1.0-m3

1.0-rc1

1.0-rc2

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.5.0

1.5.1

1.5.2

1.5.3

1.5.4

1.5.5

1.5.6

1.5.7

1.5.8

1.5.9

1.5.10

2.*

2.0.0-M1

2.0.0.RELEASE

2.0.1.RELEASE

2.0.2.RELEASE

2.0.3.RELEASE

2.0.4.RELEASE

2.0.5.RELEASE

2.1.0.RELEASE

2.1.1.RELEASE

2.1.2.RELEASE

2.1.3.RELEASE

2.1.4.RELEASE

2.4.1.RELEASE

2.4.2.RELEASE

2.4.3.RELEASE

Maven / org.springframework.ws:spring-ws

Package

Name: org.springframework.ws:spring-ws; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.ws/spring-ws

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.0.6

Affected versions

3.*

3.0.0.RELEASE

3.0.1.RELEASE

3.0.2.RELEASE

3.0.3.RELEASE

3.0.4.RELEASE

3.0.5.RELEASE

Database specific

{
    "last_known_affected_version_range": "<= 3.0.4"
}

Maven / org.springframework.ws:spring-xml

Package

Name: org.springframework.ws:spring-xml; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.ws/spring-xml

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.4

Affected versions

1.*

1.0-m2

1.0-m3

1.0-rc1

1.0-rc2

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.5.0

1.5.1

1.5.2

1.5.3

1.5.4

1.5.5

1.5.6

1.5.7

1.5.8

1.5.9

1.5.10

2.*

2.0.0-M1

2.0.0.RELEASE

2.0.1.RELEASE

2.0.2.RELEASE

2.0.3.RELEASE

2.0.4.RELEASE

2.0.5.RELEASE

2.1.0.RELEASE

2.1.1.RELEASE

2.1.2.RELEASE

2.1.3.RELEASE

2.1.4.RELEASE

2.2.0.RELEASE

2.2.1.RELEASE

2.2.2.RELEASE

2.2.3.RELEASE

2.2.4.RELEASE

2.3.0.RELEASE

2.3.1.RELEASE

2.4.0.RELEASE

2.4.1.RELEASE

2.4.2.RELEASE

2.4.3.RELEASE

Maven / org.springframework.ws:spring-xml

Package

Name: org.springframework.ws:spring-xml; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.ws/spring-xml

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.0.6

Affected versions

3.*

3.0.0.RELEASE

3.0.1.RELEASE

3.0.2.RELEASE

3.0.3.RELEASE

3.0.4.RELEASE

3.0.5.RELEASE

Database specific

{
    "last_known_affected_version_range": "<= 3.0.4"
}