Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2019-13990

Опубликовано: 26 июл. 2019
Источник: redhat
CVSS3: 8.1

Описание

initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.

The Terracotta Quartz Scheduler is susceptible to an XML external entity attack (XXE) through a job description. This issue stems from inadequate handling of XML external entity (XXE) declarations in the initDocumentParser function within xml/XMLSchedulingDataProcessor.java. By enticing a victim to access a maliciously crafted job description (containing XML content), a remote attacker could exploit this vulnerability to execute an XXE attack on the targeted system.

Отчет

Red Hat Satellite 6 uses a vulnerable version of libquartz as a dependency for Candlepin. However, the entry is not used, and the vulnerability can not be triggered. An update may fix the code in the future.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat JBoss Fuse Service Works 6quartzOut of support scope
Red Hat Satellite 5quartzOut of support scope
Red Hat Satellite 6quartzFix deferred
Red Hat Decision Manager 7quartzFixedRHSA-2020:319629.07.2020
Red Hat Fuse 7.8.0quartzFixedRHSA-2020:556816.12.2020
Red Hat Process Automation 7quartzFixedRHSA-2020:319729.07.2020
Red Hat Virtualization Engine 4.4rhvm-dependenciesFixedRHSA-2020:324704.08.2020

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-611
https://bugzilla.redhat.com/show_bug.cgi?id=1801149libquartz: XXE attacks via job description

8.1 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2019-13990

CVSS3: 9.8
ubuntu
больше 6 лет назад

initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.

nvd логотип

CVE-2019-13990

CVSS3: 9.8
nvd
больше 6 лет назад

initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.

debian логотип

CVE-2019-13990

CVSS3: 9.8
debian
больше 6 лет назад

initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracott ...

github логотип

GHSA-9qcf-c26r-x5rf

CVSS3: 9.8
github
больше 5 лет назад

XML external entity injection in Terracotta Quartz Scheduler

fstec логотип

BDU:2020-02137

CVSS3: 9.8
fstec
больше 6 лет назад

Уязвимость функции initDocumentParser библиотеки планирования заданий Terracotta Quartz Scheduler, позволяющая нарушителю осуществить XXE-атаку

8.1 High

CVSS3