#VU19595 XML External Entity injection in Quartz Scheduler


Published: 2019-08-01 | Updated: 2019-11-19

Vulnerability identifier: #VU19595

Vulnerability risk: Medium

CVSSv3.1: 4.4 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13990

CWE-ID: CWE-611

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Quartz Scheduler
Universal components / Libraries / Libraries used by multiple products

Vendor: Terracotta

Description

The vulnerability allows a remote attacker to conduct an XML External Entity (XXE) attack on a targeted system.

The vulnerability exists due to insufficient validation of user-supplied XML input in the "initDocumentParser" function in the "xml/XMLSchedulingDataProcessor.java" file. A remote authenticated attacker can submit a malicious job description to the targeted system and conduct an XXE attack.


Mitigation
Install updates from vendor's website.

Vulnerable software versions

Quartz Scheduler: 1.8.0 - 2.3.0

External links
http://github.com/quartz-scheduler/quartz/issues/467

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Identity Manager
XML External Entity injection in Oracle Internet Directory
XXE in Jira Service Management Data Center and Server
Multiple vulnerabilities in Dell PowerStore Family
Multiple vulnerabilities in Oracle Business Intelligence Enterprise Edition
Multiple vulnerabilities in IBM Disconnected Log Collector
Multiple vulnerabilities in Oracle WebCenter Sites
Multiple vulnerabilities in JD Edwards EnterpriseOne Orchestrator
Multiple vulnerabilities in Hyperion Infrastructure Technology
Multiple vulnerabilities in Enterprise Manager Base Platform