Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXdyNXItbThwYy04NWo5
Improper Restriction of XML External Entity Reference in org.springframework.integration:spring-integration-ws and org.springframework.integration:spring-integration-xml
Spring Integration (spring-integration-xml and spring-integration-ws modules), versions 4.3.18, 5.0.10, 5.1.1, and older unsupported versions, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.
Permalink: https://github.com/advisories/GHSA-wr5r-m8pc-85j9JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXdyNXItbThwYy04NWo5
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: over 5 years ago
Updated: about 2 months ago
Identifiers: GHSA-wr5r-m8pc-85j9, CVE-2019-3772
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-3772
- https://github.com/advisories/GHSA-wr5r-m8pc-85j9
- https://pivotal.io/security/cve-2019-3772
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
- http://www.securityfocus.com/bid/106749
- https://github.com/spring-projects/spring-integration/commit/59c69ed40d3755ef59f80872e0ea711adbb13620
Blast Radius: 0.0
Affected Packages
maven:org.springframework.integration:spring-integration-ws
Dependent packages: 62Dependent repositories: 217
Downloads:
Affected Version Ranges: >= 5.1.0, < 5.1.2, >= 5.0.0, < 5.0.11, < 4.3.19
Fixed in: 5.1.2, 5.0.11, 4.3.19
All affected versions:
All unaffected versions: 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.4.7, 5.4.8, 5.4.9, 5.4.10, 5.4.11, 5.4.12, 5.4.13, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.5.4, 5.5.5, 5.5.6, 5.5.7, 5.5.8, 5.5.9, 5.5.10, 5.5.11, 5.5.12, 5.5.13, 5.5.14, 5.5.15, 5.5.16, 5.5.17, 5.5.18, 5.5.19, 5.5.20, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.2.0, 6.2.1, 6.2.2, 6.2.3
maven:org.springframework.integration:spring-integration-xml
Dependent packages: 71Dependent repositories: 274
Downloads:
Affected Version Ranges: >= 5.1.0, < 5.1.2, >= 5.0.0, < 5.0.11, < 4.3.19
Fixed in: 5.1.2, 5.0.11, 4.3.19
All affected versions:
All unaffected versions: 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.4.7, 5.4.8, 5.4.9, 5.4.10, 5.4.11, 5.4.12, 5.4.13, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.5.4, 5.5.5, 5.5.6, 5.5.7, 5.5.8, 5.5.9, 5.5.10, 5.5.11, 5.5.12, 5.5.13, 5.5.14, 5.5.15, 5.5.16, 5.5.17, 5.5.18, 5.5.19, 5.5.20, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.2.0, 6.2.1, 6.2.2, 6.2.3