Lucene search

[email protected]CVE-2019-13990

HistoryJul 26, 2019 - 7:15 p.m.

CVE-2019-13990

2019-07-2619:15:00

CWE-611

[email protected]

web.nvd.nist.gov

451

xxe

vulnerability

terracotta quartz scheduler

cve-2019-13990

nvd

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.1 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.008 Low

EPSS

Percentile

80.8%

JSON

initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.

CPENameOperatorVersion
softwareag:quartzsoftwareag quartzlt2.3.2
oracle:flexcube_investor_servicingoracle flexcube investor servicingeq12.3.0
oracle:flexcube_investor_servicingoracle flexcube investor servicingeq12.1.0
oracle:retail_xstore_point_of_serviceoracle retail xstore point of serviceeq15.0
oracle:flexcube_private_bankingoracle flexcube private bankingeq12.1.0
oracle:primavera_unifieroracle primavera unifiereq16.2
oracle:flexcube_private_bankingoracle flexcube private bankingeq12.0.0
oracle:primavera_unifieroracle primavera unifiereq16.1
oracle:retail_integration_busoracle retail integration buseq15.0
oracle:retail_back_officeoracle retail back officeeq14.1

CPE	Name	Operator	Version
softwareag:quartz	softwareag quartz	lt	2.3.2
oracle:flexcube_investor_servicing	oracle flexcube investor servicing	eq	12.3.0
oracle:flexcube_investor_servicing	oracle flexcube investor servicing	eq	12.1.0
oracle:retail_xstore_point_of_service	oracle retail xstore point of service	eq	15.0
oracle:flexcube_private_banking	oracle flexcube private banking	eq	12.1.0
oracle:primavera_unifier	oracle primavera unifier	eq	16.2
oracle:flexcube_private_banking	oracle flexcube private banking	eq	12.0.0
oracle:primavera_unifier	oracle primavera unifier	eq	16.1
oracle:retail_integration_bus	oracle retail integration bus	eq	15.0
oracle:retail_back_office	oracle retail back office	eq	14.1

Rows per page:

1-10 of 1171

References

confluence.atlassian.com/security/ssot-117-cve-2019-13990-xxe-xml-external-entity-injection-vulnerability-in-jira-service-management-data-center-and-jira-service-management-server-1295385959.html

github.com/quartz-scheduler/quartz/issues/467

lists.apache.org/thread.html/172d405e556e2f1204be126bb3eb28c5115af91bcc1651b4e870bb82%40%3Cdev.tomee.apache.org%3E

lists.apache.org/thread.html/1870324fea41ea68cff2fd1bf6ee2747432dc1d9d22a22cc681e0ec3%40%3Cdev.tomee.apache.org%3E

lists.apache.org/thread.html/6b6e3480b19856365fb5eef03aa0915a4679de4b019a1e975502d949%40%3Cdev.tomee.apache.org%3E

lists.apache.org/thread.html/e493e718a50f21201e05e82d42a8796b4046e83f0d286b90e58e0629%40%3Cdev.tomee.apache.org%3E

lists.apache.org/thread.html/f74b170d3d58d7a24db1afd3908bb0ab58a3900e16e73275674cdfaf%40%3Ccommits.tomee.apache.org%3E

lists.apache.org/thread.html/r21df13c8bd2c2eae4b9661aae814c4a2a814d1f7875c765b8b115c9a%40%3Ccommits.tomee.apache.org%3E

lists.apache.org/thread.html/r3a6884e8d819f32cde8c07b98934de3e80467859880f784950bf44cf%40%3Ccommits.tomee.apache.org%3E

lists.apache.org/thread.html/re9b56ac1934d7bf16afc83eac1c39c98c1b20b4b15891dce923bf8aa%40%3Ccommits.tomee.apache.org%3E

security.netapp.com/advisory/ntap-20221028-0002/

www.oracle.com//security-alerts/cpujul2021.html

www.oracle.com/security-alerts/cpuapr2020.html