Hot Topics
Security Bloggers Network Vulnerabilities 
SBN

Nexus Intelligence Insights: CVE-2019-3773 Spring Web Services XML External Entity Injection (XXE)

by Akshay 'Ax' Sharma on March 18, 2020

Spring, a widely used component, makes programming multiple things in Java easier, faster, and safer. The project’s focus on speed, simplicity, and productivity has made it one of the world’s most popular Java frameworks. Spring’s multifaceted use cases include building microservices, cloud apps, and event driven systems. Spring is the choice of framework for countless Java developers building sleek MVC applications.

Today, however, we bring to light a serious vulnerability that has impacted some versions of Spring and offer remediation tips. If you’re an avid Spring Web user it is a good idea to check and see if you are impacted by this vulnerability.

Name of the vulnerability: CVE-2019-3773
Type of vulnerability: XXE
Severity 8.8
CVSS 3.0 Metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Version Affected:

  1. org.springframework.ws:spring-ws-core-tiger –  All versions are vulnerable. 
  2. Org.springframework.ws:spring-xml
  1. For 3.x: all versions prior to 3.0.5.RELEASE are vulnerable.
  2. For 1.x and 2.x: all versions prior to 2.4.4.RELEASE are vulnerable.
  • org.springframework.ws:spring-ws-core:
    1. For 3.x: all versions prior to 3.0.5.RELEASE are vulnerable.
    2. For 1.x and 2.x: all versions prior to 2.4.4.RELEASE are vulnerable.

    Vulnerability Description:

    The Spring Web Services `spring-ws-core` and `spring-xml` packages are vulnerable to XML External Entity (XXE) attacks. Multiple files throughout the component fail to properly restrict the processing of malicious XML external entities. A remote attacker can exploit this vulnerability by crafting and submitting XML data containing malicious external entity references. The attacker can leverage this vulnerability to perform various XXE related attacks against the server.

    Advisory Deviation Notice: The Sonatype security research team discovered that the fix for this vulnerability was actually introduced in version 3.0.5.RELEASE (for 3.x versions) and not version 3.0.6.RELEASE as (Read more...)

    *** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Akshay 'Ax' Sharma. Read the original post at: https://blog.sonatype.com/cve-2019-3773-spring-web-services-xml-external-entity-injection-xxe

    Akshay 'Ax' Sharma , , , , ,