Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreCVE-2019-3772: XML External Entity Injection (XXE)
Description
Spring Integration (spring-integration-xml and spring-integration-ws modules), versions 4.3.18, 5.0.10, 5.1.1, and older unsupported versions, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.
Affected Spring Products and Versions
- Spring Integration versions 5.1.1, 5.0.10, 4.3.18 and older
Mitigation
Users of affected versions should apply the following mitigation:
- Upgrade spring-integration-ws, spring-integration-xml to 4.3.19, 5.0.11, 5.1.2 or later.
- Spring Integration components that exhibited this vulnerability now disable the features as advised in the reference cheat sheet [1] by default, but allow user configuration of the components if the feature can be enabled because XML is received from a trusted source.
References
History
2019-01-14: Initial vulnerability report published.
Reporting a vulnerability
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy
Get support
Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.
Learn moreUpcoming events
Check out all the upcoming events in the Spring community.
View all