Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.

Affected Packages

Maven org.springframework.ws:spring-ws

Affected versions: 0 (fixed in 2.4.4)

Maven org.springframework.ws:spring-ws

Affected versions: 3.0.0 (fixed in 3.0.6)

Maven org.springframework.ws:spring-xml

Affected versions: 0 (fixed in 2.4.4)

Maven org.springframework.ws:spring-xml

Affected versions: 3.0.0 (fixed in 3.0.6)

Related CVEs

CVE-2019-3773

Key Information

GHSA ID

GHSA-8222-6fc8-mhvf

Published

January 25, 2019 4:18 PM

Last Modified

June 15, 2021 4:59 PM

CVSS Score

9.0 /10

Primary Ecosystem

Maven

Primary Package

org.springframework.ws:spring-ws

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 18, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.