Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2019-13990

CVE-2019-13990:
XML external entity injection in Terracotta Quartz Scheduler

9.8

CVSS Score

Basic Information

CVE ID
CVE-2019-13990
GHSA ID
GHSA-9qcf-c26r-x5rf
EPSS Score
-
CWE
CWE-611
Published
7/1/2020
Updated
10/15/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.quartz-scheduler:quartzmaven< 2.3.22.3.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The analysis of the patch for CVE-2019-13990 shows that the initDocumentParser function in XMLSchedulingDataProcessor.java was modified to prevent XXE attacks by setting specific features on the document builder factory. This indicates that the original version of this function was vulnerable to XXE attacks.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

init*o*um*ntP*rs*r in xml/XMLS****ulin***t*Pro**ssor.j*v* in T*rr**ott* Qu*rtz S****ul*r t*rou** *.*.* *llows XX* *tt**ks vi* * jo* **s*ription.

Reasoning

T** *n*lysis o* t** p*t** *or *V*-****-***** s*ows t**t t** init*o*um*ntP*rs*r *un*tion in XMLS****ulin***t*Pro**ssor.j*v* w*s mo*i*i** to pr*v*nt XX* *tt**ks *y s*ttin* sp**i*i* ***tur*s on t** *o*um*nt *uil**r ***tory. T*is in*i**t*s t**t t** ori*i