CVE-2019-13990

CVE Database · CVE-2019-13990

CVE-2019-13990

· CRITICALModified

CVSS v3.1

9.8

EPSS

16.63%

Published

Jul 26, 2019

Modified

Nov 21, 2024

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-611CWE-611

Affected Products (180)

softwareag · quartz (up to 2.3.2)vulnerable

oracle · apache_batik_mapviewervulnerable

oracle · banking_enterprise_originationsvulnerable

oracle · banking_enterprise_product_manufacturingvulnerable

oracle · banking_paymentsvulnerable

oracle · communications_ip_service_activator

References (20)

https://confluence.atlassian.com/security/ssot-117-cve-2019-13990-xxe-xml-external-entity-injection-vulnerability-in-jira-service-management-data-center-and-jira-service-management-server-1295385959.html

Third Party Advisory

https://github.com/quartz-scheduler/quartz/issues/467

Issue TrackingThird Party Advisory

https://lists.apache.org/thread.html/172d405e556e2f1204be126bb3eb28c5115af91bcc1651b4e870bb82%40%3Cdev.tomee.apache.org%3E

Third Party Advisory

https://lists.apache.org/thread.html/1870324fea41ea68cff2fd1bf6ee2747432dc1d9d22a22cc681e0ec3%40%3Cdev.tomee.apache.org%3E

Issue Tracking

https://lists.apache.org/thread.html/6b6e3480b19856365fb5eef03aa0915a4679de4b019a1e975502d949%40%3Cdev.tomee.apache.org%3E

KEV Catalog EPSS Scores Vendors All CVEs

oracle · communications_ip_service_activatorvulnerable

oracle · communications_session_route_managervulnerable

oracle · customer_management_and_segmentation_foundationvulnerable

oracle · documakervulnerable

oracle · enterprise_manager_base_platformvulnerable

oracle · enterprise_manager_ops_centervulnerable

oracle · flexcube_investor_servicingvulnerable

oracle · flexcube_private_bankingvulnerable

oracle · fusion_middleware_mapviewervulnerable

oracle · google_guava_mapviewervulnerable

oracle · hyperion_infrastructure_technologyvulnerable

oracle · jd_edwards_enterpriseone_orchestratorvulnerable

oracle · primavera_unifiervulnerable

oracle · retail_back_officevulnerable

oracle · retail_central_officevulnerable

oracle · retail_integration_busvulnerable

oracle · retail_order_brokervulnerable

oracle · retail_point-of-servicevulnerable

oracle · retail_returns_managementvulnerable

oracle · retail_xstore_point_of_servicevulnerable

oracle · terracotta_quartz_scheduler_mapviewervulnerable