CVE-2019-13990
XXE vulnerability in quartz (Maven)
What is CVE-2019-13990 About?
This vulnerability in Terracotta Quartz Scheduler allows XML External Entity (XXE) attacks via a job description. The flaw in `initDocumentParser` permits attackers to disclose sensitive local files or perform server-side request forgery. Exploitation requires the ability to provide a malicious job description.
Affected Software
Technical Details
In Terracotta Quartz Scheduler through version 2.3.0, the initDocumentParser function within xml/XMLSchedulingDataProcessor.java is vulnerable to XXE attacks. When the scheduler processes a job description, it uses an XML parser that does not properly disable external entity resolution. An attacker can craft a malicious job description XML containing external entity declarations (e.g., <!ENTITY xxe SYSTEM "file:///etc/passwd">). When this XML is parsed, the system will attempt to resolve the external entity, leading to the disclosure of local files, the execution of arbitrary code (if DTD-based XXE is possible with specific configurations), or the initiation of server-side requests.
What is the Impact of CVE-2019-13990?
Successful exploitation may allow attackers to disclose sensitive local files, perform server-side request forgery (SSRF), or potentially execute arbitrary code, leading to data exposure or system compromise.
What is the Exploitability of CVE-2019-13990?
Exploitation involves crafting a malicious job description XML and submitting it to the Terracotta Quartz Scheduler. This requires the ability to interact with the scheduler's job submission mechanism. The complexity is moderate, necessitating knowledge of XML and XXE attack vectors. Authentication requirements depend on how job descriptions are submitted; if an unauthenticated endpoint allows job submission, then no authentication is needed. Access can be remote or local. Special conditions include the scheduler processing XML input without disabling DTDs or external entities. The risk increases for applications that allow untrusted users to define or import job schedules.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| epicosy | Link | quartz with CVE-2019-13990 |
What are the Available Fixes for CVE-2019-13990?
About the Fix from Resolved Security
The patch mitigates CVE-2019-13990 by configuring the XML parser to disallow DOCTYPE declarations, disable loading of external DTDs, and prevent expansion of external entities, effectively blocking XML External Entity (XXE) attacks. This prevents attackers from injecting malicious XML data that could lead to information disclosure or remote file access when processing untrusted XML input.
Available Upgrade Options
- org.quartz-scheduler:quartz
- <2.3.2 → Upgrade to 2.3.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://confluence.atlassian.com/security/ssot-117-cve-2019-13990-xxe-xml-external-entity-injection-vulnerability-in-jira-service-management-data-center-and-jira-service-management-server-1295385959.html
- https://lists.apache.org/thread.html/re9b56ac1934d7bf16afc83eac1c39c98c1b20b4b15891dce923bf8aa@%3Ccommits.tomee.apache.org%3E
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://lists.apache.org/thread.html/r21df13c8bd2c2eae4b9661aae814c4a2a814d1f7875c765b8b115c9a%40%3Ccommits.tomee.apache.org%3E
- https://github.com/quartz-scheduler/quartz/issues/467
- https://lists.apache.org/thread.html/172d405e556e2f1204be126bb3eb28c5115af91bcc1651b4e870bb82%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/6b6e3480b19856365fb5eef03aa0915a4679de4b019a1e975502d949%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/e493e718a50f21201e05e82d42a8796b4046e83f0d286b90e58e0629%40%3Cdev.tomee.apache.org%3E
- https://lists.apache.org/thread.html/e493e718a50f21201e05e82d42a8796b4046e83f0d286b90e58e0629@%3Cdev.tomee.apache.org%3E
What are Similar Vulnerabilities to CVE-2019-13990?
Similar Vulnerabilities: CVE-2019-10080 , CVE-2020-25658 , CVE-2021-43297 , CVE-2022-23439 , CVE-2023-28825
