Homepage

org.apache.xmlrpc:xmlrpc@3.0 vulnerabilities

  • latest version

    3.1.3

  • latest non vulnerable version

    3.0rc1

  • first published

    19 years ago

  • latest version published

    15 years ago

  • licenses detected

  • package registry

    View on Maven Central Repository
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the org.apache.xmlrpc:xmlrpc package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Denial of Service (DoS)

    org.apache.xmlrpc:xmlrpc is a Java implementation of XML-RPC, a popular protocol that uses XML over HTTP to implement remote procedure calls.

    Affected versions of the package are vulnerable to Denial of Service (DoS). By default ws-xmlrpc supports Content-Encoding HTTP header. When sending Content-Encoding: gzip header, the body is not gzipped, and an error returns. An attacker may create a specially crafted compressed file and cause a Denial of Service attack, also known as decompression bomb attack.

    [3.0,3.1.4)
    • H
    Server-side Request Forgery (SSRF)

    org.apache.xmlrpc:xmlrpc is a Java implementation of XML-RPC, a popular protocol that uses XML over HTTP to implement remote procedure calls.

    Affected versions of the package are vulnerable to Server Side Request Forgery (SSRF). Sending an XML with a DOCTYPE declaration that loads an external DTD, a malicious user can send a GET request to the host on behalf of a vulnerable xml-rpc endpoint.

    [3.0,3.1.4)
    Go back to all versions of this package