CVE-2019-13990

NameCVE-2019-13990
DescriptioninitDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh (attack range: remote)
Debian Bugs933169, 933170

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libquartz-java (PTS)jessie1:1.7.3-5vulnerable
stretch1:1.8.6-3vulnerable
buster, bullseye, sid1:1.8.6-6vulnerable
libquartz2-java (PTS)stretch2.2.3-1vulnerable
buster, bullseye, sid2.3.0-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libquartz-javasource(unstable)(unfixed)high933169
libquartz2-javasource(unstable)(unfixed)high933170

Notes

[buster] - libquartz-java <no-dsa> (Minor issue)
[stretch] - libquartz-java <no-dsa> (Minor issue)
[jessie] - libquartz-java <no-dsa> (Minor issue)
[buster] - libquartz2-java <no-dsa> (Minor issue)
[stretch] - libquartz2-java <no-dsa> (Minor issue)
https://github.com/quartz-scheduler/quartz/issues/467

Search for package or bug name: Reporting problems