Attacker Value
Moderate
(1 user assessed)
Exploitability
High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
2

CVE-2019-13990

Disclosure Date: July 26, 2019
CVE-2019-13990 CVSS v3 Base Score: 9.8
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.

Add Assessment

1
Ratings
  • Attacker Value
    Medium
  • Exploitability
    High
Vulnerable in default configurationAuthenticatedRequires elevated access
Technical Analysis

In Atlassian’s October Security Bulletin, this vulnerability was one of the highlighted ones.
In certain versions of Jira Service Management Server & Data Center, a vulnerability denoted as CVE-2019-13990 was identified. These affected versions contained vulnerable iterations of Terracotta Quartz Scheduler, which could be exploited by authenticated attackers to launch an XML External Entity (XXE) injection attack via job descriptions.

Atlassian has pledged to issue critical advisories in accordance with the National Vulnerability Database (NVD) vulnerability score. In this instance, the Common Vulnerability Scoring System (CVSS) score for this third-party CVE is critical (9.8). Nevertheless, this score does not always consider the specific context in which the vulnerable component is employed in our software. In this case, unauthenticated attackers who lack local access to the system cannot exploit this vulnerability. Therefore, our internal evaluation of this vulnerability designates it as having a high severity rating.

Affected Versions:
This XXE (XML External Entity Injection) vulnerability impacts all versions, including and after 4.20.0, of Jira Service Management Data Center and Server. Versions outside of the support window could potentially be affected, so Atlassian strongly recommends upgrading to the fixed LTS version or a later release.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • apache,
  • atlassian,
  • netapp,
  • oracle,
  • softwareag

Products

  • active iq unified manager -,
  • apache batik mapviewer 12.2.0.1,
  • apache batik mapviewer 18c,
  • apache batik mapviewer 19c,
  • banking enterprise originations 2.7.0,
  • banking enterprise originations 2.8.0,
  • banking enterprise product manufacturing 2.7.0,
  • banking enterprise product manufacturing 2.8.0,
  • banking payments,
  • cloud secure agent -,
  • communications ip service activator 7.3.0,
  • communications ip service activator 7.4.0,
  • communications session route manager,
  • customer management and segmentation foundation 18.0,
  • documaker,
  • enterprise manager base platform 13.2.1.0,
  • enterprise manager ops center 12.4.0.0,
  • flexcube investor servicing 12.1.0,
  • flexcube investor servicing 12.3.0,
  • flexcube investor servicing 12.4.0,
  • flexcube investor servicing 14.1.0,
  • flexcube investor servicing 14.4.0,
  • flexcube private banking 12.0.0,
  • flexcube private banking 12.1.0,
  • fusion middleware mapviewer 12.2.1.3.0,
  • google guava mapviewer 12.2.0.1,
  • google guava mapviewer 18c,
  • google guava mapviewer 19c,
  • hyperion infrastructure technology 11.1.2.4,
  • jd edwards enterpriseone orchestrator,
  • jira service management 4.20.0,
  • jira service management 4.20.1,
  • jira service management 4.20.10,
  • jira service management 4.20.11,
  • jira service management 4.20.12,
  • jira service management 4.20.13,
  • jira service management 4.20.14,
  • jira service management 4.20.15,
  • jira service management 4.20.16,
  • jira service management 4.20.17,
  • jira service management 4.20.18,
  • jira service management 4.20.19,
  • jira service management 4.20.2,
  • jira service management 4.20.20,
  • jira service management 4.20.21,
  • jira service management 4.20.22,
  • jira service management 4.20.23,
  • jira service management 4.20.24,
  • jira service management 4.20.25,
  • jira service management 4.20.3,
  • jira service management 4.20.4,
  • jira service management 4.20.5,
  • jira service management 4.20.6,
  • jira service management 4.20.7,
  • jira service management 4.20.8,
  • jira service management 4.20.9,
  • jira service management 4.21.0,
  • jira service management 4.21.1,
  • jira service management 4.22.0,
  • jira service management 4.22.1,
  • jira service management 4.22.2,
  • jira service management 4.22.3,
  • jira service management 4.22.4,
  • jira service management 4.22.6,
  • jira service management 5.0.0,
  • jira service management 5.1.0,
  • jira service management 5.1.1,
  • jira service management 5.10.0,
  • jira service management 5.2.0,
  • jira service management 5.2.1,
  • jira service management 5.3.0,
  • jira service management 5.3.1,
  • jira service management 5.3.2,
  • jira service management 5.3.3,
  • jira service management 5.4.0,
  • jira service management 5.4.1,
  • jira service management 5.4.2,
  • jira service management 5.4.3,
  • jira service management 5.4.4,
  • jira service management 5.4.5,
  • jira service management 5.4.6,
  • jira service management 5.4.7,
  • jira service management 5.4.8,
  • jira service management 5.4.9,
  • jira service management 5.5.1,
  • jira service management 5.6.0,
  • jira service management 5.7.0,
  • jira service management 5.7.1,
  • jira service management 5.8.0,
  • jira service management 5.8.1,
  • jira service management 5.9.0,
  • primavera unifier,
  • primavera unifier 16.1,
  • primavera unifier 16.2,
  • primavera unifier 18.8,
  • quartz,
  • retail back office 14.1,
  • retail central office 14.1,
  • retail integration bus 15.0,
  • retail integration bus 16.0,
  • retail order broker 15.0,
  • retail order broker 16.0,
  • retail order broker 18.0,
  • retail order broker 19.0,
  • retail point-of-service 14.1,
  • retail returns management 14.1,
  • retail xstore point of service 15.0,
  • retail xstore point of service 16.0,
  • retail xstore point of service 17.0,
  • retail xstore point of service 18.0,
  • retail xstore point of service 19.0,
  • terracotta quartz scheduler mapviewer 12.2.0.1,
  • terracotta quartz scheduler mapviewer 18c,
  • terracotta quartz scheduler mapviewer 19c,
  • tomee 7.1.3,
  • webcenter sites 12.2.1.3.0,
  • webcenter sites 12.2.1.4.0

References

Canonical
CVE-2019-13990 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13990)
Advisory
[tomee-dev] 20190830 Re: Quartz CVE-2019-13990 (https://lists.apache.org/thread.html/e493e718a50f21201e05e82d42a8796b4046e83f0d286b90e58e0629@%3Cdev.tomee.apache.org%3E)
[tomee-dev] 20190830 Quartz CVE-2019-13990 (https://lists.apache.org/thread.html/1870324fea41ea68cff2fd1bf6ee2747432dc1d9d22a22cc681e0ec3@%3Cdev.tomee.apache.org%3E)
[tomee-dev] 20190908 Re: Quartz CVE-2019-13990 (https://lists.apache.org/thread.html/6b6e3480b19856365fb5eef03aa0915a4679de4b019a1e975502d949@%3Cdev.tomee.apache.org%3E)
[tomee-commits] 20190908 svn commit: r1866633 - /tomee/deps/trunk/quartz-openejb-shade/pom.xml (https://lists.apache.org/thread.html/f74b170d3d58d7a24db1afd3908bb0ab58a3900e16e73275674cdfaf@%3Ccommits.tomee.apache.org%3E)
[tomee-dev] 20190923 Re: [VOTE] Release quartz-openejb-shade 2.2.4 (https://lists.apache.org/thread.html/172d405e556e2f1204be126bb3eb28c5115af91bcc1651b4e870bb82@%3Cdev.tomee.apache.org%3E)
[tomee-commits] 20200720 [jira] [Created] (TOMEE-2886) Update quartz-scheduler to mitigate CVE-2019-13990 (https://lists.apache.org/thread.html/re9b56ac1934d7bf16afc83eac1c39c98c1b20b4b15891dce923bf8aa@%3Ccommits.tomee.apache.org%3E)
[tomee-commits] 20200720 [jira] [Commented] (TOMEE-2886) Update quartz-scheduler to mitigate CVE-2019-13990 (https://lists.apache.org/thread.html/r3a6884e8d819f32cde8c07b98934de3e80467859880f784950bf44cf@%3Ccommits.tomee.apache.org%3E)
[tomee-commits] 20200720 [jira] [Assigned] (TOMEE-2886) Update quartz-scheduler to mitigate CVE-2019-13990 (https://lists.apache.org/thread.html/r21df13c8bd2c2eae4b9661aae814c4a2a814d1f7875c765b8b115c9a@%3Ccommits.tomee.apache.org%3E)
https://security.netapp.com/advisory/ntap-20221028-0002/
Miscellaneous
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://github.com/quartz-scheduler/quartz/issues/467
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://confluence.atlassian.com/security/ssot-117-cve-2019-13990-xxe-xml-external-entity-injection-vulnerability-in-jira-service-management-data-center-and-jira-service-management-server-1295385959.html

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis