Spring Security Advisories

CVE-2019-3772: XML External Entity Injection (XXE)

CRITICAL | JANUARY 14, 2019 | CVE-2019-3772

Description

Spring Integration (spring-integration-xml and spring-integration-ws modules), versions 4.3.18, 5.0.10, 5.1.1, and older unsupported versions, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.

Affected Spring Products and Versions

  • Spring Integration versions 5.1.1, 5.0.10, 4.3.18 and older

Mitigation

Users of affected versions should apply the following mitigation:

  • Upgrade spring-integration-ws, spring-integration-xml to 4.3.19, 5.0.11, 5.1.2 or later.
  • Spring Integration components that exhibited this vulnerability now disable the features as advised in the reference cheat sheet [1] by default, but allow user configuration of the components if the feature can be enabled because XML is received from a trusted source.

Credit

undefined

History

  • 2019-01-14: Initial vulnerability report published.

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring Runtime offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all