CVE-2019-13990

Description

initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.

CVSS Metrics

• v3.1•CRITICAL•Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
• v2.0•HIGH•Score: 7.5AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 13.78%• Percentile: 94%

Techniques & Countermeasures

• CWE-611•Improper Restriction of XML External Entity Reference

  The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Affected Systems

• apache•tomee

  7.1.3

• atlassian•jira_service_management

  4.20.0 | 4.20.1 | 4.20.2 | 4.20.3 | 4.20.4 | 4.20.5 | 4.20.6 | 4.20.7 | 4.20.8 | 4.20.9 | 4.20.10 | 4.20.11 | 4.20.12 | 4.20.13 | 4.20.14 | 4.20.15 | 4.20.16 | 4.20.17 | 4.20.18 | 4.20.19 | 4.20.20 | 4.20.21 | 4.20.22 | 4.20.23 | 4.20.24 | 4.20.25 | 4.21.0 | 4.21.1 | 4.22.0 | 4.22.1 | 4.22.2 | 4.22.3 | 4.22.4 | 4.22.6 | 5.0.0 | 5.1.0 | 5.1.1 | 5.2.0 | 5.2.1 | 5.3.0 | 5.3.1 | 5.3.2 | 5.3.3 | 5.4.0 | 5.4.1 | 5.4.2 | 5.4.3 | 5.4.4 | 5.4.5 | 5.4.6 | 5.4.7 | 5.4.8 | 5.4.9 | 5.5.1 | 5.6.0 | 5.7.0 | 5.7.1 | 5.8.0 | 5.8.1 | 5.9.0 | 5.10.0

• org.quartz-scheduler•quartz

  < 2.3.2

• netapp•active_iq_unified_manager

  na

• netapp•cloud_secure_agent

  na

• oracle•apache_batik_mapviewer

  12.2.0.1 | 18c | 19c

• oracle•banking_enterprise_originations

  2.7.0 | 2.8.0

• oracle•banking_enterprise_product_manufacturing

  2.7.0 | 2.8.0

• oracle•banking_payments

  ≥ 14.1.0, ≤ 14.4.0

• oracle•communications_ip_service_activator

  7.3.0 | 7.4.0

• oracle•communications_session_route_manager

  ≥ 8.2.0, ≤ 8.2.2

• oracle•customer_management_and_segmentation_foundation

  18.0

• oracle•documaker

  ≥ 12.6.0, ≤ 12.6.4

• oracle•enterprise_manager_base_platform

  13.2.1.0

• oracle•enterprise_manager_ops_center

  12.4.0.0

• oracle•flexcube_investor_servicing

  12.1.0 | 12.3.0 | 12.4.0 | 14.1.0 | 14.4.0

• oracle•flexcube_private_banking

  12.0.0 | 12.1.0

• oracle•fusion_middleware_mapviewer

  12.2.1.3.0

• oracle•google_guava_mapviewer

  12.2.0.1 | 18c | 19c

• oracle•hyperion_infrastructure_technology

  11.1.2.4

• oracle•jd_edwards_enterpriseone_orchestrator

  ≤ 9.2.5.3

• oracle•primavera_unifier

  ≥ 17.7, ≤ 17.12 | 16.1 | 16.2 | 18.8

• oracle•retail_back_office

  14.1

• oracle•retail_central_office

  14.1

• oracle•retail_integration_bus

  15.0 | 16.0

• oracle•retail_order_broker

  15.0 | 16.0 | 18.0 | 19.0

• oracle•retail_point-of-service

  14.1

• oracle•retail_returns_management

  14.1

• oracle•retail_xstore_point_of_service

  15.0 | 16.0 | 17.0 | 18.0 | 19.0

• oracle•terracotta_quartz_scheduler_mapviewer

  12.2.0.1 | 18c | 19c

• oracle•webcenter_sites

  12.2.1.3.0 | 12.2.1.4.0

• softwareag•quartz

  < 2.3.2

References (31)

• https://lists.apache.org/thread.html/e493e718a50f21201e05e82d42a8796b4046e83f0d286b90e58e0629%40%3Cdev.tomee.apache.org%3E
• https://lists.apache.org/thread.html/1870324fea41ea68cff2fd1bf6ee2747432dc1d9d22a22cc681e0ec3%40%3Cdev.tomee.apache.org%3E
• https://lists.apache.org/thread.html/6b6e3480b19856365fb5eef03aa0915a4679de4b019a1e975502d949%40%3Cdev.tomee.apache.org%3E
• https://lists.apache.org/thread.html/f74b170d3d58d7a24db1afd3908bb0ab58a3900e16e73275674cdfaf%40%3Ccommits.tomee.apache.org%3E
• https://lists.apache.org/thread.html/172d405e556e2f1204be126bb3eb28c5115af91bcc1651b4e870bb82%40%3Cdev.tomee.apache.org%3E
• https://www.oracle.com/security-alerts/cpuapr2020.html
• https://www.oracle.com/security-alerts/cpujul2020.html
• https://github.com/quartz-scheduler/quartz/issues/467
• https://lists.apache.org/thread.html/re9b56ac1934d7bf16afc83eac1c39c98c1b20b4b15891dce923bf8aa%40%3Ccommits.tomee.apache.org%3E
• https://lists.apache.org/thread.html/r3a6884e8d819f32cde8c07b98934de3e80467859880f784950bf44cf%40%3Ccommits.tomee.apache.org%3E
• https://lists.apache.org/thread.html/r21df13c8bd2c2eae4b9661aae814c4a2a814d1f7875c765b8b115c9a%40%3Ccommits.tomee.apache.org%3E
• https://www.oracle.com/security-alerts/cpuoct2020.html
• https://www.oracle.com/security-alerts/cpujan2021.html
• https://www.oracle.com//security-alerts/cpujul2021.html
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://security.netapp.com/advisory/ntap-20221028-0002/
• https://confluence.atlassian.com/security/ssot-117-cve-2019-13990-xxe-xml-external-entity-injection-vulnerability-in-jira-service-management-data-center-and-jira-service-management-server-1295385959.html
• https://nvd.nist.gov/vuln/detail/CVE-2019-13990
• https://github.com/quartz-scheduler/quartz/pull/501
• https://github.com/quartz-scheduler/quartz/commit/13c1d45aa1db15d0fa0e4997139c99ba219be551
• https://lists.apache.org/thread.html/r21df13c8bd2c2eae4b9661aae814c4a2a814d1f7875c765b8b115c9a@%3Ccommits.tomee.apache.org%3E
• https://lists.apache.org/thread.html/r3a6884e8d819f32cde8c07b98934de3e80467859880f784950bf44cf@%3Ccommits.tomee.apache.org%3E
• https://lists.apache.org/thread.html/re9b56ac1934d7bf16afc83eac1c39c98c1b20b4b15891dce923bf8aa@%3Ccommits.tomee.apache.org%3E
• https://security.netapp.com/advisory/ntap-20221028-0002
• https://snyk.io/vuln/SNYK-JAVA-ORGQUARTZSCHEDULER-461170
• https://lists.apache.org/thread.html/f74b170d3d58d7a24db1afd3908bb0ab58a3900e16e73275674cdfaf@%3Ccommits.tomee.apache.org%3E
• https://lists.apache.org/thread.html/e493e718a50f21201e05e82d42a8796b4046e83f0d286b90e58e0629@%3Cdev.tomee.apache.org%3E
• https://lists.apache.org/thread.html/6b6e3480b19856365fb5eef03aa0915a4679de4b019a1e975502d949@%3Cdev.tomee.apache.org%3E
• https://lists.apache.org/thread.html/1870324fea41ea68cff2fd1bf6ee2747432dc1d9d22a22cc681e0ec3@%3Cdev.tomee.apache.org%3E
• https://lists.apache.org/thread.html/172d405e556e2f1204be126bb3eb28c5115af91bcc1651b4e870bb82@%3Cdev.tomee.apache.org%3E
• https://github.com/quartz-scheduler/quartz