CVE-2019-13990

initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
CISA-ADPADP
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 92%
VendorProductVersion
softwareagquartz
𝑥
< 2.3.2
oracleapache_batik_mapviewer
12.2.0.1
oraclebanking_enterprise_originations
2.7.0
oraclebanking_enterprise_originations
2.8.0
oraclebanking_enterprise_product_manufacturing
2.7.0
oraclebanking_enterprise_product_manufacturing
2.8.0
oraclebanking_payments
14.1.0 ≤
𝑥
≤ 14.4.0
oraclecommunications_ip_service_activator
7.3.0
oraclecommunications_ip_service_activator
7.4.0
oraclecommunications_session_route_manager
8.2.0 ≤
𝑥
≤ 8.2.2
oraclecustomer_management_and_segmentation_foundation
18.0
oracledocumaker
12.6.0 ≤
𝑥
≤ 12.6.4
oracleenterprise_manager_base_platform
13.2.1.0
oracleenterprise_manager_ops_center
12.4.0.0
oracleflexcube_investor_servicing
12.1.0
oracleflexcube_investor_servicing
12.3.0
oracleflexcube_investor_servicing
12.4.0
oracleflexcube_investor_servicing
14.1.0
oracleflexcube_investor_servicing
14.4.0
oracleflexcube_private_banking
12.0.0
oracleflexcube_private_banking
12.1.0
oraclefusion_middleware_mapviewer
12.2.1.3.0
oraclegoogle_guava_mapviewer
12.2.0.1
oraclehyperion_infrastructure_technology
11.1.2.4
oraclejd_edwards_enterpriseone_orchestrator
𝑥
≤ 9.2.5.3
oracleprimavera_unifier
17.7 ≤
𝑥
≤ 17.12
oracleprimavera_unifier
16.1
oracleprimavera_unifier
16.2
oracleprimavera_unifier
18.8
oracleretail_back_office
14.1
oracleretail_central_office
14.1
oracleretail_integration_bus
15.0
oracleretail_integration_bus
16.0
oracleretail_order_broker
15.0
oracleretail_order_broker
16.0
oracleretail_order_broker
18.0
oracleretail_order_broker
19.0
oracleretail_point-of-service
14.1
oracleretail_returns_management
14.1
oracleretail_xstore_point_of_service
15.0
oracleretail_xstore_point_of_service
16.0
oracleretail_xstore_point_of_service
17.0
oracleretail_xstore_point_of_service
18.0
oracleretail_xstore_point_of_service
19.0
oracleterracotta_quartz_scheduler_mapviewer
12.2.0.1
oraclewebcenter_sites
12.2.1.3.0
oraclewebcenter_sites
12.2.1.4.0
apachetomee
7.1.3
netappactive_iq_unified_manager
-
netappactive_iq_unified_manager
-
netappactive_iq_unified_manager
-
netappcloud_secure_agent
-
atlassianjira_service_management
4.20.0
atlassianjira_service_management
4.20.0
atlassianjira_service_management
4.20.1
atlassianjira_service_management
4.20.1
atlassianjira_service_management
4.20.2
atlassianjira_service_management
4.20.2
atlassianjira_service_management
4.20.3
atlassianjira_service_management
4.20.3
atlassianjira_service_management
4.20.4
atlassianjira_service_management
4.20.4
atlassianjira_service_management
4.20.5
atlassianjira_service_management
4.20.5
atlassianjira_service_management
4.20.6
atlassianjira_service_management
4.20.6
atlassianjira_service_management
4.20.7
atlassianjira_service_management
4.20.7
atlassianjira_service_management
4.20.8
atlassianjira_service_management
4.20.8
atlassianjira_service_management
4.20.9
atlassianjira_service_management
4.20.9
atlassianjira_service_management
4.20.10
atlassianjira_service_management
4.20.10
atlassianjira_service_management
4.20.11
atlassianjira_service_management
4.20.11
atlassianjira_service_management
4.20.12
atlassianjira_service_management
4.20.12
atlassianjira_service_management
4.20.13
atlassianjira_service_management
4.20.13
atlassianjira_service_management
4.20.14
atlassianjira_service_management
4.20.14
atlassianjira_service_management
4.20.15
atlassianjira_service_management
4.20.15
atlassianjira_service_management
4.20.16
atlassianjira_service_management
4.20.16
atlassianjira_service_management
4.20.17
atlassianjira_service_management
4.20.17
atlassianjira_service_management
4.20.18
atlassianjira_service_management
4.20.18
atlassianjira_service_management
4.20.19
atlassianjira_service_management
4.20.19
atlassianjira_service_management
4.20.20
atlassianjira_service_management
4.20.20
atlassianjira_service_management
4.20.21
atlassianjira_service_management
4.20.21
atlassianjira_service_management
4.20.22
atlassianjira_service_management
4.20.22
atlassianjira_service_management
4.20.23
atlassianjira_service_management
4.20.23
atlassianjira_service_management
4.20.24
atlassianjira_service_management
4.20.24
atlassianjira_service_management
4.20.25
atlassianjira_service_management
4.20.25
atlassianjira_service_management
4.21.0
atlassianjira_service_management
4.21.0
atlassianjira_service_management
4.21.1
atlassianjira_service_management
4.21.1
atlassianjira_service_management
4.22.0
atlassianjira_service_management
4.22.0
atlassianjira_service_management
4.22.1
atlassianjira_service_management
4.22.1
atlassianjira_service_management
4.22.2
atlassianjira_service_management
4.22.2
atlassianjira_service_management
4.22.3
atlassianjira_service_management
4.22.3
atlassianjira_service_management
4.22.4
atlassianjira_service_management
4.22.4
atlassianjira_service_management
4.22.6
atlassianjira_service_management
4.22.6
atlassianjira_service_management
5.0.0
atlassianjira_service_management
5.0.0
atlassianjira_service_management
5.1.0
atlassianjira_service_management
5.1.0
atlassianjira_service_management
5.1.1
atlassianjira_service_management
5.1.1
atlassianjira_service_management
5.2.0
atlassianjira_service_management
5.2.0
atlassianjira_service_management
5.2.1
atlassianjira_service_management
5.2.1
atlassianjira_service_management
5.3.0
atlassianjira_service_management
5.3.0
atlassianjira_service_management
5.3.1
atlassianjira_service_management
5.3.1
atlassianjira_service_management
5.3.2
atlassianjira_service_management
5.3.2
atlassianjira_service_management
5.3.3
atlassianjira_service_management
5.3.3
atlassianjira_service_management
5.4.0
atlassianjira_service_management
5.4.0
atlassianjira_service_management
5.4.1
atlassianjira_service_management
5.4.1
atlassianjira_service_management
5.4.2
atlassianjira_service_management
5.4.2
atlassianjira_service_management
5.4.3
atlassianjira_service_management
5.4.3
atlassianjira_service_management
5.4.4
atlassianjira_service_management
5.4.4
atlassianjira_service_management
5.4.5
atlassianjira_service_management
5.4.5
atlassianjira_service_management
5.4.6
atlassianjira_service_management
5.4.6
atlassianjira_service_management
5.4.7
atlassianjira_service_management
5.4.7
atlassianjira_service_management
5.4.8
atlassianjira_service_management
5.4.8
atlassianjira_service_management
5.4.9
atlassianjira_service_management
5.4.9
atlassianjira_service_management
5.5.1
atlassianjira_service_management
5.5.1
atlassianjira_service_management
5.6.0
atlassianjira_service_management
5.6.0
atlassianjira_service_management
5.7.0
atlassianjira_service_management
5.7.0
atlassianjira_service_management
5.7.1
atlassianjira_service_management
5.7.1
atlassianjira_service_management
5.8.0
atlassianjira_service_management
5.8.0
atlassianjira_service_management
5.8.1
atlassianjira_service_management
5.8.1
atlassianjira_service_management
5.9.0
atlassianjira_service_management
5.9.0
atlassianjira_service_management
5.10.0
atlassianjira_service_management
5.10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libquartz-java
bullseye
no-dsa
buster
no-dsa
stretch
no-dsa
jessie
no-dsa
sid
1:1.8.6-8
fixed
trixie
1:1.8.6-8
fixed
bookworm
1:1.8.6-8
fixed
libquartz2-java
bullseye
2.3.0-3
no-dsa
buster
no-dsa
stretch
no-dsa
jessie
no-dsa
sid
2.3.2-4
fixed
trixie
2.3.2-4
fixed
bookworm
2.3.2-4
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libquartz-java
noble
needs-triage
mantic
ignored
lunar
ignored
kinetic
ignored
jammy
needs-triage
impish
ignored
hirsute
ignored
groovy
ignored
focal
needs-triage
eoan
ignored
disco
ignored
bionic
needs-triage
xenial
needs-triage
trusty
dne
libquartz2-java
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
not-affected
jammy
not-affected
impish
not-affected
hirsute
not-affected
groovy
not-affected
focal
needs-triage
eoan
ignored
disco
ignored
bionic
needs-triage
xenial
dne
trusty
dne
Common Weakness Enumeration
References
https://confluence.atlassian.com/security/ssot-117-cve-2019-13990-xxe-xml-external-entity-injection-vulnerability-in-jira-service-management-data-center-and-jira-service-management-server-1295385959.html
https://github.com/quartz-scheduler/quartz/issues/467
https://lists.apache.org/thread.html/172d405e556e2f1204be126bb3eb28c5115af91bcc1651b4e870bb82%40%3Cdev.tomee.apache.org%3E
https://lists.apache.org/thread.html/1870324fea41ea68cff2fd1bf6ee2747432dc1d9d22a22cc681e0ec3%40%3Cdev.tomee.apache.org%3E
https://lists.apache.org/thread.html/6b6e3480b19856365fb5eef03aa0915a4679de4b019a1e975502d949%40%3Cdev.tomee.apache.org%3E
https://lists.apache.org/thread.html/e493e718a50f21201e05e82d42a8796b4046e83f0d286b90e58e0629%40%3Cdev.tomee.apache.org%3E
https://lists.apache.org/thread.html/f74b170d3d58d7a24db1afd3908bb0ab58a3900e16e73275674cdfaf%40%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/r21df13c8bd2c2eae4b9661aae814c4a2a814d1f7875c765b8b115c9a%40%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/r3a6884e8d819f32cde8c07b98934de3e80467859880f784950bf44cf%40%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/re9b56ac1934d7bf16afc83eac1c39c98c1b20b4b15891dce923bf8aa%40%3Ccommits.tomee.apache.org%3E
https://security.netapp.com/advisory/ntap-20221028-0002/
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://confluence.atlassian.com/security/ssot-117-cve-2019-13990-xxe-xml-external-entity-injection-vulnerability-in-jira-service-management-data-center-and-jira-service-management-server-1295385959.html
https://github.com/quartz-scheduler/quartz/issues/467
https://lists.apache.org/thread.html/172d405e556e2f1204be126bb3eb28c5115af91bcc1651b4e870bb82%40%3Cdev.tomee.apache.org%3E
https://lists.apache.org/thread.html/1870324fea41ea68cff2fd1bf6ee2747432dc1d9d22a22cc681e0ec3%40%3Cdev.tomee.apache.org%3E
https://lists.apache.org/thread.html/6b6e3480b19856365fb5eef03aa0915a4679de4b019a1e975502d949%40%3Cdev.tomee.apache.org%3E
https://lists.apache.org/thread.html/e493e718a50f21201e05e82d42a8796b4046e83f0d286b90e58e0629%40%3Cdev.tomee.apache.org%3E
https://lists.apache.org/thread.html/f74b170d3d58d7a24db1afd3908bb0ab58a3900e16e73275674cdfaf%40%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/r21df13c8bd2c2eae4b9661aae814c4a2a814d1f7875c765b8b115c9a%40%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/r3a6884e8d819f32cde8c07b98934de3e80467859880f784950bf44cf%40%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/re9b56ac1934d7bf16afc83eac1c39c98c1b20b4b15891dce923bf8aa%40%3Ccommits.tomee.apache.org%3E
https://security.netapp.com/advisory/ntap-20221028-0002/
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/security-alerts/cpuoct2021.html