Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HOracle Financial Services Analytical Applications Infrastructure
APPOracle8.0.6 – 8.1.0Oracle Flexcube Private Banking
APPOracle12.0.012.1.0Pivotal Software Spring Web Services
APPPivotal Software≤ 2.4.33.0.0 – 3.0.4
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
XXE
References
Related vulnerabilities
CVE-2022-22965CRITICAL9.8⚠ KEVten sam produkt
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) ...
CVE-2022-22963CRITICAL9.8⚠ KEVten sam produkt
In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionalit...
CVE-2025-53037CRITICAL9.8PL ✓ten sam produkt
Pominięcie uwierzytelnienia w Oracle Financial Services Analytical Applications Infrastructure
CVE-2021-26291CRITICAL9.1ten sam produkt
Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may ...
CVE-2020-11998CRITICAL9.8ten sam produkt
A regression has been introduced in the commit preventing JMX re-bind. By passing an empty environment map to ...