CVE-2019-13990

initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.

Weakness

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Affected Software

Name	Vendor	Start Version	End Version
Quartz	Softwareag	*	2.3.2 (excluding)
Red Hat Decision Manager 7	RedHat	quartz	*
Red Hat Fuse 7.8.0	RedHat	quartz	*
Red Hat Process Automation 7	RedHat	quartz	*
Red Hat Virtualization Engine 4.4	RedHat	rhvm-dependencies-0:4.4.0-1.el8ev	*
Libquartz-java	Ubuntu	bionic	*
Libquartz-java	Ubuntu	disco	*
Libquartz-java	Ubuntu	eoan	*
Libquartz-java	Ubuntu	focal	*
Libquartz-java	Ubuntu	groovy	*
Libquartz-java	Ubuntu	hirsute	*
Libquartz-java	Ubuntu	impish	*
Libquartz-java	Ubuntu	kinetic	*
Libquartz-java	Ubuntu	lunar	*
Libquartz-java	Ubuntu	mantic	*
Libquartz-java	Ubuntu	oracular	*
Libquartz-java	Ubuntu	plucky	*
Libquartz-java	Ubuntu	trusty	*
Libquartz-java	Ubuntu	xenial	*
Libquartz2-java	Ubuntu	bionic	*
Libquartz2-java	Ubuntu	disco	*
Libquartz2-java	Ubuntu	eoan	*
Libquartz2-java	Ubuntu	focal	*
Libquartz2-java	Ubuntu	trusty	*

Potential Mitigations

https://cwe.mitre.org/data/definitions/221.html

NVD	https://nvd.nist.gov/vuln/detail/CVE-2019-13990
CWE	https://cwe.mitre.org/data/definitions/611.html

Improper Restriction of XML External Entity Reference

Weakness

Affected Software

Potential Mitigations

References

CVE-2019-13990

Improper Restriction of XML External Entity Reference

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References