PT-2019-5263 · Terracotta+3 · Terracotta Quartz Scheduler+3
Published
2019-07-22
·
Updated
2024-10-15
·
CVE-2019-13990
CVSS v3.1
10
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Terracotta Quartz Scheduler versions through 2.3.0
Description
The issue is related to the
initDocumentParser function in the xml/XMLSchedulingDataProcessor.java file of the Terracotta Quartz Scheduler library, which is associated with incorrect restriction of XML external entity references. This can allow a remote attacker to perform an XXE (XML External Entity) attack. The vulnerability can be exploited via a job description.Recommendations
For Terracotta Quartz Scheduler versions through 2.3.0, update to a version later than 2.3.0 to resolve the issue. As a temporary workaround, consider restricting access to the
initDocumentParser function in the xml/XMLSchedulingDataProcessor.java file until a patch is available. Avoid using the vulnerable initDocumentParser function in job descriptions until the issue is resolved.Fix
XXE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Debian
Jira Service Management Server
Suse
Terracotta Quartz Scheduler