CVE-2019-13990 - Vulnerability Details

initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.08578.

Exploitation none

Automatable yes

Technical Impact total

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

cpe:2.3:a:softwareag:quartz:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:a:oracle:apache_batik_mapviewer:12.2.0.1:::::::*
	cpe:2.3:a:oracle:apache_batik_mapviewer:18c:::::::*
	cpe:2.3:a:oracle:apache_batik_mapviewer:19c:::::::*
	cpe:2.3:a:oracle:banking_enterprise_originations:2.7.0:::::::*
	cpe:2.3:a:oracle:banking_enterprise_originations:2.8.0:::::::*
	cpe:2.3:a:oracle:banking_enterprise_product_manufacturing:2.7.0:::::::*
	cpe:2.3:a:oracle:banking_enterprise_product_manufacturing:2.8.0:::::::*
	cpe:2.3:a:oracle:banking_payments::::::::
	cpe:2.3:a:oracle:communications_ip_service_activator:7.3.0:::::::*
	cpe:2.3:a:oracle:communications_ip_service_activator:7.4.0:::::::*
	cpe:2.3:a:oracle:communications_session_route_manager::::::::
	cpe:2.3:a:oracle:customer_management_and_segmentation_foundation:18.0:::::::*
	cpe:2.3:a:oracle:documaker::::::::
	cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2.1.0:::::::*
	cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:::::::*
	cpe:2.3:a:oracle:flexcube_investor_servicing:12.1.0:::::::*
	cpe:2.3:a:oracle:flexcube_investor_servicing:12.3.0:::::::*
	cpe:2.3:a:oracle:flexcube_investor_servicing:12.4.0:::::::*
	cpe:2.3:a:oracle:flexcube_investor_servicing:14.1.0:::::::*
	cpe:2.3:a:oracle:flexcube_investor_servicing:14.4.0:::::::*
	cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:::::::*
	cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:::::::*
	cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:google_guava_mapviewer:12.2.0.1:::::::*
	cpe:2.3:a:oracle:google_guava_mapviewer:18c:::::::*
	cpe:2.3:a:oracle:google_guava_mapviewer:19c:::::::*
	cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.1.2.4:::::::*
	cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator::::::::
	cpe:2.3:a:oracle:primavera_unifier::::::::
	cpe:2.3:a:oracle:primavera_unifier:16.1:::::::*
	cpe:2.3:a:oracle:primavera_unifier:16.2:::::::*
	cpe:2.3:a:oracle:primavera_unifier:18.8:::::::*
	cpe:2.3:a:oracle:retail_back_office:14.1:::::::*
	cpe:2.3:a:oracle:retail_central_office:14.1:::::::*
	cpe:2.3:a:oracle:retail_integration_bus:15.0:::::::*
	cpe:2.3:a:oracle:retail_integration_bus:16.0:::::::*
	cpe:2.3:a:oracle:retail_order_broker:15.0:::::::*
	cpe:2.3:a:oracle:retail_order_broker:16.0:::::::*
	cpe:2.3:a:oracle:retail_order_broker:18.0:::::::*
	cpe:2.3:a:oracle:retail_order_broker:19.0:::::::*
	cpe:2.3:a:oracle:retail_point-of-service:14.1:::::::*
	cpe:2.3:a:oracle:retail_returns_management:14.1:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0:::::::*
	cpe:2.3:a:oracle:terracotta_quartz_scheduler_mapviewer:12.2.0.1:::::::*
	cpe:2.3:a:oracle:terracotta_quartz_scheduler_mapviewer:18c:::::::*
	cpe:2.3:a:oracle:terracotta_quartz_scheduler_mapviewer:19c:::::::*
	cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:::::::*

Configuration 3 [-]

cpe:2.3:a:apache:tomee:7.1.3:*:*:*:*:*:*:*

Configuration 4 [-]

OR	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::linux::
	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::vmware_vsphere::
	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::windows::
	cpe:2.3:a:netapp:cloud_secure_agent:-:::::::*

Configuration 5 [-]

OR	cpe:2.3:a:atlassian:jira_service_management:4.20.0::::data_center:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.0::::server:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.1::::data_center:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.1::::server:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.2::::data_center:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.2::::server:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.3::::data_center:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.3::::server:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.4::::data_center:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.4::::server:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.5::::data_center:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.5::::server:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.6::::data_center:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.6::::server:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.7::::data_center:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.7::::server:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.8::::data_center:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.8::::server:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.9::::data_center:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.9::::server:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.10::::data_center:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.10::::server:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.11::::data_center:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.11::::server:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.12::::data_center:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.12::::server:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.13::::data_center:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.13::::server:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.14::::data_center:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.14::::server:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.15::::data_center:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.15::::server:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.16::::data_center:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.16::::server:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.17::::data_center:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.17::::server:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.18::::data_center:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.18::::server:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.19::::data_center:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.19::::server:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.20::::data_center:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.20::::server:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.21::::data_center:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.21::::server:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.22::::data_center:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.22::::server:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.23::::data_center:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.23::::server:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.24::::data_center:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.24::::server:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.25::::data_center:::
	cpe:2.3:a:atlassian:jira_service_management:4.20.25::::server:::
	cpe:2.3:a:atlassian:jira_service_management:4.21.0::::data_center:::
	cpe:2.3:a:atlassian:jira_service_management:4.21.0::::server:::
	cpe:2.3:a:atlassian:jira_service_management:4.21.1::::data_center:::
	cpe:2.3:a:atlassian:jira_service_management:4.21.1::::server:::
	cpe:2.3:a:atlassian:jira_service_management:4.22.0::::data_center:::
	cpe:2.3:a:atlassian:jira_service_management:4.22.0::::server:::
	cpe:2.3:a:atlassian:jira_service_management:4.22.1::::data_center:::
	cpe:2.3:a:atlassian:jira_service_management:4.22.1::::server:::
	cpe:2.3:a:atlassian:jira_service_management:4.22.2::::data_center:::
	cpe:2.3:a:atlassian:jira_service_management:4.22.2::::server:::
	cpe:2.3:a:atlassian:jira_service_management:4.22.3::::data_center:::
	cpe:2.3:a:atlassian:jira_service_management:4.22.3::::server:::
cpe:2.3:a:atlassian:jira_service_management:4.22.4::::data_center:::
cpe:2.3:a:atlassian:jira_service_management:4.22.4::::server:::
cpe:2.3:a:atlassian:jira_service_management:4.22.6::::data_center:::
cpe:2.3:a:atlassian:jira_service_management:4.22.6::::server:::
cpe:2.3:a:atlassian:jira_service_management:5.0.0::::data_center:::
cpe:2.3:a:atlassian:jira_service_management:5.0.0::::server:::
cpe:2.3:a:atlassian:jira_service_management:5.1.0::::data_center:::
cpe:2.3:a:atlassian:jira_service_management:5.1.0::::server:::
cpe:2.3:a:atlassian:jira_service_management:5.1.1::::data_center:::
cpe:2.3:a:atlassian:jira_service_management:5.1.1::::server:::
cpe:2.3:a:atlassian:jira_service_management:5.2.0::::data_center:::
cpe:2.3:a:atlassian:jira_service_management:5.2.0::::server:::
cpe:2.3:a:atlassian:jira_service_management:5.2.1::::data_center:::
cpe:2.3:a:atlassian:jira_service_management:5.2.1::::server:::
cpe:2.3:a:atlassian:jira_service_management:5.3.0::::data_center:::
cpe:2.3:a:atlassian:jira_service_management:5.3.0::::server:::
cpe:2.3:a:atlassian:jira_service_management:5.3.1::::data_center:::
cpe:2.3:a:atlassian:jira_service_management:5.3.1::::server:::
cpe:2.3:a:atlassian:jira_service_management:5.3.2::::data_center:::
cpe:2.3:a:atlassian:jira_service_management:5.3.2::::server:::
cpe:2.3:a:atlassian:jira_service_management:5.3.3::::data_center:::
cpe:2.3:a:atlassian:jira_service_management:5.3.3::::server:::
cpe:2.3:a:atlassian:jira_service_management:5.4.0::::data_center:::
cpe:2.3:a:atlassian:jira_service_management:5.4.0::::server:::
cpe:2.3:a:atlassian:jira_service_management:5.4.1::::data_center:::
cpe:2.3:a:atlassian:jira_service_management:5.4.1::::server:::
cpe:2.3:a:atlassian:jira_service_management:5.4.2::::data_center:::
cpe:2.3:a:atlassian:jira_service_management:5.4.2::::server:::
cpe:2.3:a:atlassian:jira_service_management:5.4.3::::data_center:::
cpe:2.3:a:atlassian:jira_service_management:5.4.3::::server:::
cpe:2.3:a:atlassian:jira_service_management:5.4.4::::data_center:::
cpe:2.3:a:atlassian:jira_service_management:5.4.4::::server:::
cpe:2.3:a:atlassian:jira_service_management:5.4.5::::data_center:::
cpe:2.3:a:atlassian:jira_service_management:5.4.5::::server:::
cpe:2.3:a:atlassian:jira_service_management:5.4.6::::data_center:::
cpe:2.3:a:atlassian:jira_service_management:5.4.6::::server:::
cpe:2.3:a:atlassian:jira_service_management:5.4.7::::data_center:::
cpe:2.3:a:atlassian:jira_service_management:5.4.7::::server:::
cpe:2.3:a:atlassian:jira_service_management:5.4.8::::data_center:::
cpe:2.3:a:atlassian:jira_service_management:5.4.8::::server:::
cpe:2.3:a:atlassian:jira_service_management:5.4.9::::data_center:::
cpe:2.3:a:atlassian:jira_service_management:5.4.9::::server:::
cpe:2.3:a:atlassian:jira_service_management:5.5.1::::data_center:::
cpe:2.3:a:atlassian:jira_service_management:5.5.1::::server:::
cpe:2.3:a:atlassian:jira_service_management:5.6.0::::data_center:::
cpe:2.3:a:atlassian:jira_service_management:5.6.0::::server:::
cpe:2.3:a:atlassian:jira_service_management:5.7.0::::data_center:::
cpe:2.3:a:atlassian:jira_service_management:5.7.0::::server:::
cpe:2.3:a:atlassian:jira_service_management:5.7.1::::data_center:::
cpe:2.3:a:atlassian:jira_service_management:5.7.1::::server:::
cpe:2.3:a:atlassian:jira_service_management:5.8.0::::data_center:::
cpe:2.3:a:atlassian:jira_service_management:5.8.0::::server:::
cpe:2.3:a:atlassian:jira_service_management:5.8.1::::data_center:::
cpe:2.3:a:atlassian:jira_service_management:5.8.1::::server:::
cpe:2.3:a:atlassian:jira_service_management:5.9.0::::data_center:::
cpe:2.3:a:atlassian:jira_service_management:5.9.0::::server:::
cpe:2.3:a:atlassian:jira_service_management:5.10.0::::data_center:::
cpe:2.3:a:atlassian:jira_service_management:5.10.0::::server:::

Package	CPE	Advisory	Released Date
Red Hat Decision Manager 7
quartz	cpe:/a:redhat:jboss_enterprise_brms_platform:7.8	RHSA-2020:3196	2020-07-29T00:00:00Z
Red Hat Fuse 7.8.0
quartz	cpe:/a:redhat:jboss_fuse:7	RHSA-2020:5568	2020-12-16T00:00:00Z
Red Hat Process Automation 7
quartz	cpe:/a:redhat:jboss_enterprise_bpms_platform:7.8	RHSA-2020:3197	2020-07-29T00:00:00Z
Red Hat Virtualization Engine 4.4
rhvm-dependencies-0:4.4.0-1.el8ev	cpe:/a:redhat:rhev_manager:4.4:el8	RHSA-2020:3247	2020-08-04T00:00:00Z

No data.

Project Subscriptions

Vendors	Products
Apache Subscribe	Tomee Subscribe
Atlassian Subscribe	Jira Service Management Subscribe
Netapp Subscribe	Active Iq Unified Manager Subscribe Cloud Secure Agent Subscribe
Oracle Subscribe	Apache Batik Mapviewer Subscribe Banking Enterprise Originations Subscribe Banking Enterprise Product Manufacturing Subscribe Banking Payments Subscribe Communications Ip Service Activator Subscribe Communications Session Route Manager Subscribe Customer Management And Segmentation Foundation Subscribe Documaker Subscribe Enterprise Manager Base Platform Subscribe Enterprise Manager Ops Center Subscribe Flexcube Investor Servicing Subscribe Flexcube Private Banking Subscribe Fusion Middleware Mapviewer Subscribe Google Guava Mapviewer Subscribe Hyperion Infrastructure Technology Subscribe Jd Edwards Enterpriseone Orchestrator Subscribe Primavera Unifier Subscribe Retail Back Office Subscribe Retail Central Office Subscribe Retail Integration Bus Subscribe Retail Order Broker Subscribe Retail Point-of-service Subscribe Retail Returns Management Subscribe Retail Xstore Point Of Service Subscribe Terracotta Quartz Scheduler Mapviewer Subscribe Webcenter Sites Subscribe
Redhat Subscribe	Jboss Enterprise Bpms Platform Subscribe Jboss Enterprise Brms Platform Subscribe Jboss Fuse Subscribe Rhev Manager Subscribe
Softwareag Subscribe	Quartz Subscribe

Advisories

Source	ID	Title
Github GHSA	GHSA-9qcf-c26r-x5rf	XML external entity injection in Terracotta Quartz Scheduler

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://confluence.atlassian.com/security/ssot-117-cve-2019-13990-xxe-xml-external-entity-injection-vulnerability-in-jira-service-management-data-center-and-jira-service-management-server-1295385959.html
https://github.com/quartz-scheduler/quartz/issues/467
https://lists.apache.org/thread.html/172d405e556e2f1204be126bb3eb28c5115af91bcc1651b4e870bb82%40%3Cdev.tomee.apache.org%3E
https://lists.apache.org/thread.html/1870324fea41ea68cff2fd1bf6ee2747432dc1d9d22a22cc681e0ec3%40%3Cdev.tomee.apache.org%3E
https://lists.apache.org/thread.html/6b6e3480b19856365fb5eef03aa0915a4679de4b019a1e975502d949%40%3Cdev.tomee.apache.org%3E
https://lists.apache.org/thread.html/e493e718a50f21201e05e82d42a8796b4046e83f0d286b90e58e0629%40%3Cdev.tomee.apache.org%3E
https://lists.apache.org/thread.html/f74b170d3d58d7a24db1afd3908bb0ab58a3900e16e73275674cdfaf%40%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/r21df13c8bd2c2eae4b9661aae814c4a2a814d1f7875c765b8b115c9a%40%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/r3a6884e8d819f32cde8c07b98934de3e80467859880f784950bf44cf%40%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/re9b56ac1934d7bf16afc83eac1c39c98c1b20b4b15891dce923bf8aa%40%3Ccommits.tomee.apache.org%3E
https://nvd.nist.gov/vuln/detail/CVE-2019-13990
https://security.netapp.com/advisory/ntap-20221028-0002/
https://www.cve.org/CVERecord?id=CVE-2019-13990
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/security-alerts/cpuoct2021.html

History

Mon, 14 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.07947}`	epss `{'score': 0.10416}`

Tue, 15 Oct 2024 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-07-26T00:00:00.000Z

Updated: 2024-10-15T18:22:20.316Z

Reserved: 2019-07-19T00:00:00.000Z

Link: CVE-2019-13990

Vulnrichment

Updated: 2024-08-05T00:05:44.151Z

NVD

Status : Modified

Published: 2019-07-26T19:15:11.730

Modified: 2024-11-21T04:25:50.490

Link: CVE-2019-13990

Redhat

Severity : Important

Publid Date: 2019-07-26T00:00:00Z

Links: CVE-2019-13990 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

CWE-611

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation none

Automatable yes

Technical Impact total

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object