{"id":"CVE-2019-13990","details":"initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.","aliases":["GHSA-9qcf-c26r-x5rf"],"modified":"2026-04-16T04:30:52.833121107Z","published":"2019-07-26T19:15:11.730Z","related":["SUSE-SU-2020:0984-1","SUSE-SU-2020:1009-1"],"references":[{"type":"ADVISORY","url":"https://confluence.atlassian.com/security/ssot-117-cve-2019-13990-xxe-xml-external-entity-injection-vulnerability-in-jira-service-management-data-center-and-jira-service-management-server-1295385959.html"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/172d405e556e2f1204be126bb3eb28c5115af91bcc1651b4e870bb82%40%3Cdev.tomee.apache.org%3E"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"type":"ADVISORY","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20221028-0002/"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpuapr2020.html"},{"type":"REPORT","url":"https://lists.apache.org/thread.html/1870324fea41ea68cff2fd1bf6ee2747432dc1d9d22a22cc681e0ec3%40%3Cdev.tomee.apache.org%3E"},{"type":"REPORT","url":"https://lists.apache.org/thread.html/re9b56ac1934d7bf16afc83eac1c39c98c1b20b4b15891dce923bf8aa%40%3Ccommits.tomee.apache.org%3E"},{"type":"REPORT","url":"https://lists.apache.org/thread.html/r3a6884e8d819f32cde8c07b98934de3e80467859880f784950bf44cf%40%3Ccommits.tomee.apache.org%3E"},{"type":"REPORT","url":"https://lists.apache.org/thread.html/6b6e3480b19856365fb5eef03aa0915a4679de4b019a1e975502d949%40%3Cdev.tomee.apache.org%3E"},{"type":"REPORT","url":"https://github.com/quartz-scheduler/quartz/issues/467"},{"type":"REPORT","url":"https://lists.apache.org/thread.html/e493e718a50f21201e05e82d42a8796b4046e83f0d286b90e58e0629%40%3Cdev.tomee.apache.org%3E"},{"type":"FIX","url":"https://lists.apache.org/thread.html/r21df13c8bd2c2eae4b9661aae814c4a2a814d1f7875c765b8b115c9a%40%3Ccommits.tomee.apache.org%3E"},{"type":"FIX","url":"https://lists.apache.org/thread.html/f74b170d3d58d7a24db1afd3908bb0ab58a3900e16e73275674cdfaf%40%3Ccommits.tomee.apache.org%3E"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/tomee","events":[{"introduced":"0"},{"last_affected":"7bcc4a4b66e29bf1fb209c8da5b4203bce99d17a"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"7.1.3"}]}},{"type":"GIT","repo":"https://github.com/quartz-scheduler/quartz","events":[{"introduced":"0"},{"fixed":"3533e4063644c0436ac5e873a75b647703aea6dd"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.3.2"}]}}],"versions":["quartz-2.3.0","tomee-7.1.0","tomee-7.1.1","tomee-7.1.2","tomee-7.1.3"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"12.2.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"18c"}]},{"events":[{"introduced":"0"},{"last_affected":"19c"}]},{"events":[{"introduced":"0"},{"last_affected":"2.7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"2.8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"2.7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"2.8.0"}]},{"events":[{"introduced":"14.1.0"},{"last_affected":"14.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4.0"}]},{"events":[{"introduced":"8.2.0"},{"last_affected":"8.2.2"}]},{"events":[{"introduced":"0"},{"last_affected":"18.0"}]},{"events":[{"introduced":"12.6.0"},{"last_affected":"12.6.4"}]},{"events":[{"introduced":"0"},{"last_affected":"13.2.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.4.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"18c"}]},{"events":[{"introduced":"0"},{"last_affected":"19c"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.2.4"}]},{"events":[{"introduced":"0"},{"last_affected":"9.2.5.3"}]},{"events":[{"introduced":"17.7"},{"last_affected":"17.12"}]},{"events":[{"introduced":"0"},{"last_affected":"16.1"}]},{"events":[{"introduced":"0"},{"last_affected":"16.2"}]},{"events":[{"introduced":"0"},{"last_affected":"18.8"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0"}]},{"events":[{"introduced":"0"},{"last_affected":"18.0"}]},{"events":[{"introduced":"0"},{"last_affected":"19.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0"}]},{"events":[{"introduced":"0"},{"last_affected":"17.0"}]},{"events":[{"introduced":"0"},{"last_affected":"18.0"}]},{"events":[{"introduced":"0"},{"last_affected":"19.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"18c"}]},{"events":[{"introduced":"0"},{"last_affected":"19c"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.0"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.0"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.1"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.1"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.2"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.2"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.3"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.3"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.4"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.4"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.5"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.5"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.6"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.6"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.7"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.7"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.8"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.8"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.9"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.9"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.10"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.10"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.11"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.11"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.12"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.12"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.13"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.13"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.14"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.14"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.15"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.15"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.16"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.16"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.17"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.17"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.18"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.18"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.19"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.19"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.20"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.20"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.21"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.21"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.22"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.22"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.23"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.23"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.24"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.24"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.25"}]},{"events":[{"introduced":"0"},{"last_affected":"4.20.25"}]},{"events":[{"introduced":"0"},{"last_affected":"4.21.0"}]},{"events":[{"introduced":"0"},{"last_affected":"4.21.0"}]},{"events":[{"introduced":"0"},{"last_affected":"4.21.1"}]},{"events":[{"introduced":"0"},{"last_affected":"4.21.1"}]},{"events":[{"introduced":"0"},{"last_affected":"4.22.0"}]},{"events":[{"introduced":"0"},{"last_affected":"4.22.0"}]},{"events":[{"introduced":"0"},{"last_affected":"4.22.1"}]},{"events":[{"introduced":"0"},{"last_affected":"4.22.1"}]},{"events":[{"introduced":"0"},{"last_affected":"4.22.2"}]},{"events":[{"introduced":"0"},{"last_affected":"4.22.2"}]},{"events":[{"introduced":"0"},{"last_affected":"4.22.3"}]},{"events":[{"introduced":"0"},{"last_affected":"4.22.3"}]},{"events":[{"introduced":"0"},{"last_affected":"4.22.4"}]},{"events":[{"introduced":"0"},{"last_affected":"4.22.4"}]},{"events":[{"introduced":"0"},{"last_affected":"4.22.6"}]},{"events":[{"introduced":"0"},{"last_affected":"4.22.6"}]},{"events":[{"introduced":"0"},{"last_affected":"5.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"5.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"5.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"5.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"5.1.1"}]},{"events":[{"introduced":"0"},{"last_affected":"5.1.1"}]},{"events":[{"introduced":"0"},{"last_affected":"5.2.0"}]},{"events":[{"introduced":"0"},{"last_affected":"5.2.0"}]},{"events":[{"introduced":"0"},{"last_affected":"5.2.1"}]},{"events":[{"introduced":"0"},{"last_affected":"5.2.1"}]},{"events":[{"introduced":"0"},{"last_affected":"5.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"5.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"5.3.1"}]},{"events":[{"introduced":"0"},{"last_affected":"5.3.1"}]},{"events":[{"introduced":"0"},{"last_affected":"5.3.2"}]},{"events":[{"introduced":"0"},{"last_affected":"5.3.2"}]},{"events":[{"introduced":"0"},{"last_affected":"5.3.3"}]},{"events":[{"introduced":"0"},{"last_affected":"5.3.3"}]},{"events":[{"introduced":"0"},{"last_affected":"5.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"5.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"5.4.1"}]},{"events":[{"introduced":"0"},{"last_affected":"5.4.1"}]},{"events":[{"introduced":"0"},{"last_affected":"5.4.2"}]},{"events":[{"introduced":"0"},{"last_affected":"5.4.2"}]},{"events":[{"introduced":"0"},{"last_affected":"5.4.3"}]},{"events":[{"introduced":"0"},{"last_affected":"5.4.3"}]},{"events":[{"introduced":"0"},{"last_affected":"5.4.4"}]},{"events":[{"introduced":"0"},{"last_affected":"5.4.4"}]},{"events":[{"introduced":"0"},{"last_affected":"5.4.5"}]},{"events":[{"introduced":"0"},{"last_affected":"5.4.5"}]},{"events":[{"introduced":"0"},{"last_affected":"5.4.6"}]},{"events":[{"introduced":"0"},{"last_affected":"5.4.6"}]},{"events":[{"introduced":"0"},{"last_affected":"5.4.7"}]},{"events":[{"introduced":"0"},{"last_affected":"5.4.7"}]},{"events":[{"introduced":"0"},{"last_affected":"5.4.8"}]},{"events":[{"introduced":"0"},{"last_affected":"5.4.8"}]},{"events":[{"introduced":"0"},{"last_affected":"5.4.9"}]},{"events":[{"introduced":"0"},{"last_affected":"5.4.9"}]},{"events":[{"introduced":"0"},{"last_affected":"5.5.1"}]},{"events":[{"introduced":"0"},{"last_affected":"5.5.1"}]},{"events":[{"introduced":"0"},{"last_affected":"5.6.0"}]},{"events":[{"introduced":"0"},{"last_affected":"5.6.0"}]},{"events":[{"introduced":"0"},{"last_affected":"5.7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"5.7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"5.7.1"}]},{"events":[{"introduced":"0"},{"last_affected":"5.7.1"}]},{"events":[{"introduced":"0"},{"last_affected":"5.8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"5.8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"5.8.1"}]},{"events":[{"introduced":"0"},{"last_affected":"5.8.1"}]},{"events":[{"introduced":"0"},{"last_affected":"5.9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"5.9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"5.10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"5.10.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-13990.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}