CVE-2019-3773 — Vulnerability that affects org.springframework.ws:spring-ws and org.springframew

Description

Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.

How to fix CVE-2019-3773

To remediate CVE-2019-3773, upgrade the affected package to a fixed version below.

—upgrade to 2.4.4 or later
—upgrade to 2.4.4 or later

Is CVE-2019-3773 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2.4.4
from 0, < 2.4.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (6)

ADVISORYgithub.com/advisories/GHSA-8222-6fc8-mhvf
ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-3773
WEBpivotal.io/security/cve-2019-3773
WEBwww.oracle.com/security-alerts/cpuApr2021.html
WEB