initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P
Vendors Products
Oracle
  • Documaker
  • Retail Integration Bus
  • Banking Payments
  • Jd Edwards Enterpriseone Orchestrator
  • Retail Xstore Point Of Service
  • Enterprise Manager Ops Center
  • Flexcube Investor Servicing
  • Retail Order Broker
  • Communications Session Route Manager
  • Retail Point-of-service
  • Communications Ip Service Activator
  • Retail Back Office
  • Webcenter Sites
  • Fusion Middleware Mapviewer
  • Retail Central Office
  • Banking Enterprise Product Manufacturing
  • Google Guava Mapviewer
  • Retail Returns Management
  • Customer Management And Segmentation Foundation
  • Flexcube Private Banking
  • Terracotta Quartz Scheduler Mapviewer
  • Apache Batik Mapviewer
  • Banking Enterprise Originations
  • Enterprise Manager Base Platform
  • Primavera Unifier
  • Hyperion Infrastructure Technology
Atlassian
  • Jira Service Management
Netapp
  • Active Iq Unified Manager
  • Cloud Secure Agent
Softwareag
  • Quartz
Apache
  • Tomee

Configuration 1 [-]

cpe:2.3:a:softwareag:quartz:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR cpe:2.3:a:oracle:apache_batik_mapviewer:12.2.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:apache_batik_mapviewer:18c:*:*:*:*:*:*:*
cpe:2.3:a:oracle:apache_batik_mapviewer:19c:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_enterprise_originations:2.7.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_enterprise_originations:2.8.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_enterprise_product_manufacturing:2.7.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_enterprise_product_manufacturing:2.8.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_payments:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_ip_service_activator:7.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_ip_service_activator:7.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:customer_management_and_segmentation_foundation:18.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:documaker:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:flexcube_investor_servicing:12.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:flexcube_investor_servicing:12.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:flexcube_investor_servicing:12.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:flexcube_investor_servicing:14.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:flexcube_investor_servicing:14.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:google_guava_mapviewer:12.2.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:google_guava_mapviewer:18c:*:*:*:*:*:*:*
cpe:2.3:a:oracle:google_guava_mapviewer:19c:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.1.2.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_integration_bus:15.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_integration_bus:16.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_order_broker:18.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_order_broker:19.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:terracotta_quartz_scheduler_mapviewer:12.2.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:terracotta_quartz_scheduler_mapviewer:18c:*:*:*:*:*:*:*
cpe:2.3:a:oracle:terracotta_quartz_scheduler_mapviewer:19c:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*

Configuration 3 [-]

cpe:2.3:a:apache:tomee:7.1.3:*:*:*:*:*:*:*

Configuration 4 [-]

OR cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
cpe:2.3:a:netapp:cloud_secure_agent:-:*:*:*:*:*:*:*

Configuration 5 [-]

OR cpe:2.3:a:atlassian:jira_service_management:4.20.0:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.0:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.1:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.1:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.2:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.2:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.3:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.3:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.4:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.4:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.5:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.5:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.6:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.6:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.7:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.7:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.8:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.8:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.9:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.9:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.10:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.10:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.11:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.11:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.12:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.12:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.13:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.13:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.14:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.14:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.15:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.15:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.16:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.16:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.17:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.17:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.18:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.18:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.19:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.19:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.20:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.20:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.21:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.21:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.22:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.22:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.23:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.23:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.24:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.24:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.25:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.20.25:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.21.0:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.21.0:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.21.1:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.21.1:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.22.0:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.22.0:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.22.1:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.22.1:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.22.2:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.22.2:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.22.3:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.22.3:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.22.4:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.22.4:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.22.6:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:4.22.6:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.0.0:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.0.0:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.1.0:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.1.0:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.1.1:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.1.1:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.2.0:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.2.0:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.2.1:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.2.1:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.3.0:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.3.0:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.3.1:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.3.1:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.3.2:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.3.2:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.3.3:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.3.3:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.4.0:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.4.0:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.4.1:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.4.1:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.4.2:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.4.2:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.4.3:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.4.3:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.4.4:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.4.4:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.4.5:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.4.5:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.4.6:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.4.6:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.4.7:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.4.7:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.4.8:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.4.8:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.4.9:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.4.9:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.5.1:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.5.1:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.6.0:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.6.0:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.7.0:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.7.0:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.7.1:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.7.1:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.8.0:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.8.0:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.8.1:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.8.1:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.9.0:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.9.0:*:*:*:server:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.10.0:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:jira_service_management:5.10.0:*:*:*:server:*:*:*
References
Link Resource
https://confluence.atlassian.com/security/ssot-117-cve-2019-13990-xxe-xml-external-entity-injection-vulnerability-in-jira-service-management-data-center-and-jira-service-management-server-1295385959.html Third Party Advisory
https://github.com/quartz-scheduler/quartz/issues/467 Issue Tracking Third Party Advisory
https://lists.apache.org/thread.html/172d405e556e2f1204be126bb3eb28c5115af91bcc1651b4e870bb82%40%3Cdev.tomee.apache.org%3E Third Party Advisory
https://lists.apache.org/thread.html/1870324fea41ea68cff2fd1bf6ee2747432dc1d9d22a22cc681e0ec3%40%3Cdev.tomee.apache.org%3E Issue Tracking
https://lists.apache.org/thread.html/6b6e3480b19856365fb5eef03aa0915a4679de4b019a1e975502d949%40%3Cdev.tomee.apache.org%3E Issue Tracking
https://lists.apache.org/thread.html/e493e718a50f21201e05e82d42a8796b4046e83f0d286b90e58e0629%40%3Cdev.tomee.apache.org%3E Issue Tracking
https://lists.apache.org/thread.html/f74b170d3d58d7a24db1afd3908bb0ab58a3900e16e73275674cdfaf%40%3Ccommits.tomee.apache.org%3E Patch
https://lists.apache.org/thread.html/r21df13c8bd2c2eae4b9661aae814c4a2a814d1f7875c765b8b115c9a%40%3Ccommits.tomee.apache.org%3E Patch
https://lists.apache.org/thread.html/r3a6884e8d819f32cde8c07b98934de3e80467859880f784950bf44cf%40%3Ccommits.tomee.apache.org%3E Issue Tracking
https://lists.apache.org/thread.html/re9b56ac1934d7bf16afc83eac1c39c98c1b20b4b15891dce923bf8aa%40%3Ccommits.tomee.apache.org%3E Issue Tracking
https://security.netapp.com/advisory/ntap-20221028-0002/ Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.html Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html Third Party Advisory
History

No history.

cve-icon MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2019-07-26T00:00:00

Updated: 2023-10-28T05:44:55.522130

Reserved: 2019-07-19T00:00:00

Link: CVE-2019-13990

JSON object: View

cve-icon NVD Information

Status : Analyzed

Published: 2019-07-26T19:15:11.730

Modified: 2023-12-22T16:35:35.523

Link: CVE-2019-13990

JSON object: View

cve-icon Redhat Information

No data.

CWE