CVE-2019-13990

NameCVE-2019-13990
DescriptioninitDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs933169, 933170

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libquartz-java (PTS)jessie1:1.7.3-5vulnerable
stretch1:1.8.6-3vulnerable
buster, bullseye1:1.8.6-6vulnerable
sid, trixie, bookworm1:1.8.6-8fixed
libquartz2-java (PTS)stretch2.2.3-1vulnerable
buster2.3.0-2vulnerable
bullseye2.3.0-3fixed
sid, trixie, bookworm2.3.2-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libquartz-javasourcewheezy(unfixed)end-of-life
libquartz-javasource(unstable)1:1.8.6-8933169
libquartz2-javasource(unstable)2.3.0-3933170

Notes

[bullseye] - libquartz-java <no-dsa> (Minor issue)
[buster] - libquartz-java <no-dsa> (Minor issue)
[stretch] - libquartz-java <no-dsa> (Minor issue)
[jessie] - libquartz-java <no-dsa> (Minor issue)
[buster] - libquartz2-java <no-dsa> (Minor issue)
[stretch] - libquartz2-java <no-dsa> (Minor issue)
https://github.com/quartz-scheduler/quartz/issues/467
https://github.com/quartz-scheduler/quartz/commit/a1395ba118df306c7fe67c24fb0c9a95a4473140
Search for package or bug name: Reporting problems