org.apache.xmlrpc:xmlrpc@3.1.1 vulnerabilities

Apache XML-RPC is a Java implementation of XML-RPC, a popular protocol that uses XML over HTTP to implement remote procedure calls. Compared to SOAP, or JAX-RPC, it is stable, much simpler and easier to handle. Version 3 of Apache XML-RPC introduces several important vendor extensions over the original XML-RPC specification.

latest version

3.1.3
first published

17 years ago
latest version published

13 years ago
licenses detected
- Apache-2.0
  [0,)
package manager

View on Maven Repository

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.apache.xmlrpc:xmlrpc package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
C Deserialization of Untrusted Data org.apache.xmlrpc:xmlrpc is a Java implementation of XML-RPC, a popular protocol that uses XML over HTTP to implement remote procedure calls. Compared to SOAP, or JAX-RPC, it is stable, much simpler and easier to handle. Version 3 of Apache XML-RPC introduces several important vendor extensions over the original XML-RPC specification. Affected versions of this package are vulnerable to Deserialization of Untrusted Data. A flaw was discovered where the XMLRPC client implementation performed deserialization of the server-side exception serialized in the `faultCause` attribute of XMLRPC error response messages. A malicious or compromised XMLRPC server could possibly use this flaw to execute arbitrary code with the privileges of an application using the Apache XMLRPC client library. How to fix Deserialization of Untrusted Data? There is no fixed version for `org.apache.xmlrpc:xmlrpc`.	[3.1,)
M Denial of Service (DoS) `org.apache.xmlrpc:xmlrpc` is a Java implementation of XML-RPC, a popular protocol that uses XML over HTTP to implement remote procedure calls. Affected versions of the package are vulnerable to Denial of Service (DoS). By default `ws-xmlrpc` supports `Content-Encoding` HTTP header. When sending `Content-Encoding: gzip` header, the body is not gzipped, and an error returns. An attacker may create a specially crafted compressed file and cause a Denial of Service attack, also known as `decompression bomb` attack.	[3.0,3.1.4)
C Deserialization of Untrusted Data `org.apache.xmlrpc:xmlrpc` is a Java implementation of XML-RPC, a popular protocol that uses XML over HTTP to implement remote procedure calls. Affected versions of the package are vulnerable to Deserialization of Untrusted Data. By default `ws-xmlrpc` supports `java.io.Serializable` data types through `<ex:serializable>` element. An attacker can leverage this to call a method and pass a serialized Java object in that element. `ws-xmlrpc` will deserialize the malicious object without validation.	[3.0,3.1.4)
H Server-side Request Forgery (SSRF) `org.apache.xmlrpc:xmlrpc` is a Java implementation of XML-RPC, a popular protocol that uses XML over HTTP to implement remote procedure calls. Affected versions of the package are vulnerable to Server Side Request Forgery (SSRF). Sending an XML with a `DOCTYPE` declaration that loads an external DTD, a malicious user can send a GET request to the host on behalf of a vulnerable `xml-rpc` endpoint.	[3.0,3.1.4)

Go back to all versions of this package

org.apache.xmlrpc:xmlrpc@3.1.1 vulnerabilities

latest version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities