Miggo Logo
Miggo Vulnerability Database
CVE-2019-3773

CVE-2019-3773: Vulnerability that affects org.springframework.ws:spring-ws and org.springframework.ws:spring-xml

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-3773
GHSA ID
GHSA-8222-6fc8-mhvf
EPSS Score
0.5372%
CWE
CWE-611
Published
1/25/2019
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.springframework.ws:spring-wsmaven< 2.4.42.4.4
org.springframework.ws:spring-wsmaven>= 3.0.0, <= 3.0.43.0.6
org.springframework.ws:spring-xmlmaven< 2.4.42.4.4
org.springframework.ws:spring-xmlmaven>= 3.0.0, <= 3.0.43.0.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper restriction of XML external entity processing. Analysis focuses on:

  1. Core XML parsing configuration points in Spring WS
  2. Message factory initialization sequences
  3. XPath processing components While exact patch diffs aren't provided, advisory notes indicate the fix involved disabling DTD/external entity support by default. The identified functions represent key XML processing entry points that would handle untrusted input and require secure configuration.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Sprin* W** S*rvi**s, v*rsions *.*.*, *.*.*, *n* ol**r unsupport** v*rsions o* *ll t*r** proj**ts, w*r* sus**pti*l* to XML *xt*rn*l *ntity Inj**tion (XX*) w**n r***ivin* XML **t* *rom untrust** sour**s.

Reasoning

T** vuln*r**ility st*ms *rom improp*r r*stri*tion o* XML *xt*rn*l *ntity pro**ssin*. *n*lysis *o*us*s on: *. *or* XML p*rsin* *on*i*ur*tion points in Sprin* WS *. M*ss*** ***tory initi*liz*tion s*qu*n**s *. XP*t* pro**ssin* *ompon*nts W*il* *x**t p*t