CVE-2019-13990

Name: CVE-2019-13990
Creator: NVD / NIST
Published: 2019-07-26T19:15:11.73+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10EPSS 16.63%

Last modified Jun 17, 2026

CVE-2019-13990 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.. EPSS estimates a 16.63% chance of exploitation in the next 30 days.

Description

initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

16.63%

96.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Softwareag	Quartz	< 2.3.2
Oracle	Apache Batik Mapviewer	12.2.0.1
Oracle	Apache Batik Mapviewer	18c
Oracle	Apache Batik Mapviewer	19c
Oracle	Banking Enterprise Originations	2.7.0
Oracle	Banking Enterprise Originations	2.8.0
Oracle	Banking Enterprise Product Manufacturing	2.7.0
Oracle	Banking Enterprise Product Manufacturing	2.8.0
Oracle	Banking Payments	>= 14.1.0, <= 14.4.0
Oracle	Communications Ip Service Activator	7.3.0
Oracle	Communications Ip Service Activator	7.4.0
Oracle	Communications Session Route Manager	>= 8.2.0, <= 8.2.2
Oracle	Customer Management And Segmentation Foundation	18.0
Oracle	Documaker	>= 12.6.0, <= 12.6.4
Oracle	Enterprise Manager Base Platform	13.2.1.0
Oracle	Enterprise Manager Ops Center	12.4.0.0
Oracle	Flexcube Investor Servicing	12.1.0
Oracle	Flexcube Investor Servicing	12.3.0
Oracle	Flexcube Investor Servicing	12.4.0
Oracle	Flexcube Investor Servicing	14.1.0
Oracle	Flexcube Investor Servicing	14.4.0
Oracle	Flexcube Private Banking	12.0.0
Oracle	Flexcube Private Banking	12.1.0
Oracle	Fusion Middleware Mapviewer	12.2.1.3.0
Oracle	Google Guava Mapviewer	12.2.0.1
Oracle	Google Guava Mapviewer	18c
Oracle	Google Guava Mapviewer	19c
Oracle	Hyperion Infrastructure Technology	11.1.2.4
Oracle	Jd Edwards Enterpriseone Orchestrator	<= 9.2.5.3
Oracle	Primavera Unifier	>= 17.7, <= 17.12
Oracle	Primavera Unifier	16.1
Oracle	Primavera Unifier	16.2
Oracle	Primavera Unifier	18.8
Oracle	Retail Back Office	14.1
Oracle	Retail Central Office	14.1
Oracle	Retail Integration Bus	15.0
Oracle	Retail Integration Bus	16.0
Oracle	Retail Order Broker	15.0
Oracle	Retail Order Broker	16.0
Oracle	Retail Order Broker	18.0
Oracle	Retail Order Broker	19.0
Oracle	Retail Point-Of-Service	14.1
Oracle	Retail Returns Management	14.1
Oracle	Retail Xstore Point Of Service	15.0
Oracle	Retail Xstore Point Of Service	16.0
Oracle	Retail Xstore Point Of Service	17.0
Oracle	Retail Xstore Point Of Service	18.0
Oracle	Retail Xstore Point Of Service	19.0
Oracle	Terracotta Quartz Scheduler Mapviewer	12.2.0.1
Oracle	Terracotta Quartz Scheduler Mapviewer	18c

Showing 50 of 117 affected configurations. See NVD for the full list.

References

https://confluence.atlassian.com/security/ssot-117-cve-2019-13990-xxe-xml-external-entity-injection-vulnerability-in-jira-service-management-data-center-and-jira-service-management-server-1295385959.htmlThird Party Advisory
https://github.com/quartz-scheduler/quartz/issues/467Issue Tracking, Third Party Advisory
https://lists.apache.org/thread.html/172d405e556e2f1204be126bb3eb28c5115af91bcc1651b4e870bb82%40%3Cdev.tomee.apache.org%3EThird Party Advisory
https://lists.apache.org/thread.html/1870324fea41ea68cff2fd1bf6ee2747432dc1d9d22a22cc681e0ec3%40%3Cdev.tomee.apache.org%3EIssue Tracking
https://lists.apache.org/thread.html/6b6e3480b19856365fb5eef03aa0915a4679de4b019a1e975502d949%40%3Cdev.tomee.apache.org%3EIssue Tracking
https://lists.apache.org/thread.html/e493e718a50f21201e05e82d42a8796b4046e83f0d286b90e58e0629%40%3Cdev.tomee.apache.org%3EIssue Tracking
https://lists.apache.org/thread.html/f74b170d3d58d7a24db1afd3908bb0ab58a3900e16e73275674cdfaf%40%3Ccommits.tomee.apache.org%3EPatch
https://lists.apache.org/thread.html/r21df13c8bd2c2eae4b9661aae814c4a2a814d1f7875c765b8b115c9a%40%3Ccommits.tomee.apache.org%3EPatch
https://lists.apache.org/thread.html/r3a6884e8d819f32cde8c07b98934de3e80467859880f784950bf44cf%40%3Ccommits.tomee.apache.org%3EIssue Tracking
https://lists.apache.org/thread.html/re9b56ac1934d7bf16afc83eac1c39c98c1b20b4b15891dce923bf8aa%40%3Ccommits.tomee.apache.org%3EIssue Tracking
https://security.netapp.com/advisory/ntap-20221028-0002/Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.htmlThird Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.htmlThird Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.htmlThird Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.htmlThird Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.htmlThird Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.htmlThird Party Advisory
https://confluence.atlassian.com/security/ssot-117-cve-2019-13990-xxe-xml-external-entity-injection-vulnerability-in-jira-service-management-data-center-and-jira-service-management-server-1295385959.htmlThird Party Advisory
https://github.com/quartz-scheduler/quartz/issues/467Issue Tracking, Third Party Advisory
https://lists.apache.org/thread.html/172d405e556e2f1204be126bb3eb28c5115af91bcc1651b4e870bb82%40%3Cdev.tomee.apache.org%3EThird Party Advisory
https://lists.apache.org/thread.html/1870324fea41ea68cff2fd1bf6ee2747432dc1d9d22a22cc681e0ec3%40%3Cdev.tomee.apache.org%3EIssue Tracking
https://lists.apache.org/thread.html/6b6e3480b19856365fb5eef03aa0915a4679de4b019a1e975502d949%40%3Cdev.tomee.apache.org%3EIssue Tracking
https://lists.apache.org/thread.html/e493e718a50f21201e05e82d42a8796b4046e83f0d286b90e58e0629%40%3Cdev.tomee.apache.org%3EIssue Tracking
https://lists.apache.org/thread.html/f74b170d3d58d7a24db1afd3908bb0ab58a3900e16e73275674cdfaf%40%3Ccommits.tomee.apache.org%3EPatch
https://lists.apache.org/thread.html/r21df13c8bd2c2eae4b9661aae814c4a2a814d1f7875c765b8b115c9a%40%3Ccommits.tomee.apache.org%3EPatch
https://lists.apache.org/thread.html/r3a6884e8d819f32cde8c07b98934de3e80467859880f784950bf44cf%40%3Ccommits.tomee.apache.org%3EIssue Tracking
https://lists.apache.org/thread.html/re9b56ac1934d7bf16afc83eac1c39c98c1b20b4b15891dce923bf8aa%40%3Ccommits.tomee.apache.org%3EIssue Tracking
https://security.netapp.com/advisory/ntap-20221028-0002/Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.htmlThird Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.htmlThird Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.htmlThird Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.htmlThird Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.htmlThird Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.htmlThird Party Advisory

Timeline

Published: Jul 26, 2019
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2019-13990?

initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.

How severe is CVE-2019-13990?

CVE-2019-13990 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 16.63% probability of exploitation in the next 30 days.

How do I fix CVE-2019-13990?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2019-13990?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST