org.apache.xmlrpc:xmlrpc@3.0b1 vulnerabilities

org.apache.xmlrpc:xmlrpc is a Java implementation of XML-RPC, a popular protocol that uses XML over HTTP to implement remote procedure calls.

Affected versions of the package are vulnerable to Denial of Service (DoS). By default ws-xmlrpc supports Content-Encoding HTTP header. When sending Content-Encoding: gzip header, the body is not gzipped, and an error returns. An attacker may create a specially crafted compressed file and cause a Denial of Service attack, also known as decompression bomb attack.

org.apache.xmlrpc:xmlrpc is a Java implementation of XML-RPC, a popular protocol that uses XML over HTTP to implement remote procedure calls.

Affected versions of the package are vulnerable to Deserialization of Untrusted Data. By default ws-xmlrpc supports java.io.Serializable data types through <ex:serializable> element. An attacker can leverage this to call a method and pass a serialized Java object in that element. ws-xmlrpc will deserialize the malicious object without validation.

org.apache.xmlrpc:xmlrpc is a Java implementation of XML-RPC, a popular protocol that uses XML over HTTP to implement remote procedure calls.

Affected versions of the package are vulnerable to Server Side Request Forgery (SSRF). Sending an XML with a DOCTYPE declaration that loads an external DTD, a malicious user can send a GET request to the host on behalf of a vulnerable xml-rpc endpoint.