Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.
oryginał ENCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HOracle Financial Services Analytical Applications Infrastructure
APPOracle8.0.6 – 8.1.0Oracle Flexcube Private Banking
APPOracle12.0.012.1.0Pivotal Software Spring Web Services
APPPivotal Software≤ 2.4.33.0.0 – 3.0.4
🟢
PATCH DOSTĘPNY
Aktualizacja od producenta gotowa. Wdrożenie w ramach standardowego cyklu.
Tagi
XXE
Referencje
Powiązane podatności
CVE-2022-22965CRITICAL9.8⚠ KEVten sam produkt
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) ...
CVE-2022-22963CRITICAL9.8⚠ KEVten sam produkt
In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionalit...
CVE-2025-53037CRITICAL9.8PL ✓ten sam produkt
Pominięcie uwierzytelnienia w Oracle Financial Services Analytical Applications Infrastructure
CVE-2021-26291CRITICAL9.1ten sam produkt
Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may ...
CVE-2020-11998CRITICAL9.8ten sam produkt
A regression has been introduced in the commit preventing JMX re-bind. By passing an empty environment map to ...