CVE-2019-3774 — Low severity vulnerability that affects org.springframework.batch:spring-batch-c

Description

Spring Batch versions 3.0.9, 4.0.1, 4.1.0, and older unsupported versions, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.

How to fix CVE-2019-3774

To remediate CVE-2019-3774, upgrade the affected package to a fixed version below.

Maven/org.springframework.batch:spring-batch-core—upgrade to 3.0.10.RELEASE or later

Is CVE-2019-3774 being exploited?

Low — EPSS is 2.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 3.0.10.RELEASE

References (21)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-3774
PATCHgithub.com/spring-projects/spring-batch
WEBlists.apache.org/thread.html/r01292194daa9ed3117b34dabec0c26929f6db13b9613fc144f720d52@%3Cissues.servicemix.apache.org%3E
WEBlists.apache.org