Improper Restriction of XML External Entity Reference in org.springframework.integration:spring-integration-ws and org.springframework.integration:spring-integration-xml · CVE-2019-3772 · GitHub Advisory Database · GitHub

Improper Restriction of XML External Entity Reference in org.springframework.integration:spring-integration-ws and org.springframework.integration:spring-integration-xml

Low severity GitHub Reviewed Published Jan 25, 2019 to the GitHub Advisory Database • Updated Mar 4, 2024

Package

org.springframework.integration:spring-integration-ws (Maven)

Affected versions

< 4.3.19

>= 5.0.0, < 5.0.11

>= 5.1.0, < 5.1.2

Patched versions

4.3.19

5.0.11

5.1.2

org.springframework.integration:spring-integration-xml (Maven)

< 4.3.19

>= 5.0.0, < 5.0.11

>= 5.1.0, < 5.1.2

4.3.19

5.0.11

5.1.2

Description

Spring Integration (spring-integration-xml and spring-integration-ws modules), versions 4.3.18, 5.0.10, 5.1.1, and older unsupported versions, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.

References

Published to the GitHub Advisory Database Jan 25, 2019

Reviewed Jun 16, 2020

Last updated Mar 4, 2024