org.apache.xmlrpc:xmlrpc 3.1.1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.xmlrpc:xmlrpc package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
C Deserialization of Untrusted Data org.apache.xmlrpc:xmlrpc is a Java implementation of XML-RPC, a popular protocol that uses XML over HTTP to implement remote procedure calls. Compared to SOAP, or JAX-RPC, it is stable, much simpler and easier to handle. Version 3 of Apache XML-RPC introduces several important vendor extensions over the original XML-RPC specification. Affected versions of this package are vulnerable to Deserialization of Untrusted Data. A flaw was discovered where the XMLRPC client implementation performed deserialization of the server-side exception serialized in the `faultCause` attribute of XMLRPC error response messages. A malicious or compromised XMLRPC server could possibly use this flaw to execute arbitrary code with the privileges of an application using the Apache XMLRPC client library. How to fix Deserialization of Untrusted Data? There is no fixed version for `org.apache.xmlrpc:xmlrpc`.	[3.1,)
M Denial of Service (DoS) `org.apache.xmlrpc:xmlrpc` is a Java implementation of XML-RPC, a popular protocol that uses XML over HTTP to implement remote procedure calls. Affected versions of the package are vulnerable to Denial of Service (DoS). By default `ws-xmlrpc` supports `Content-Encoding` HTTP header. When sending `Content-Encoding: gzip` header, the body is not gzipped, and an error returns. An attacker may create a specially crafted compressed file and cause a Denial of Service attack, also known as `decompression bomb` attack.	[3.0,3.1.4)
H Server-side Request Forgery (SSRF) `org.apache.xmlrpc:xmlrpc` is a Java implementation of XML-RPC, a popular protocol that uses XML over HTTP to implement remote procedure calls. Affected versions of the package are vulnerable to Server Side Request Forgery (SSRF). Sending an XML with a `DOCTYPE` declaration that loads an external DTD, a malicious user can send a GET request to the host on behalf of a vulnerable `xml-rpc` endpoint.	[3.0,3.1.4)

Vulnerability

Vulnerable Version

Deserialization of Untrusted Data

org.apache.xmlrpc:xmlrpc is a Java implementation of XML-RPC, a popular protocol that uses XML over HTTP to implement remote procedure calls. Compared to SOAP, or JAX-RPC, it is stable, much simpler and easier to handle. Version 3 of Apache XML-RPC introduces several important vendor extensions over the original XML-RPC specification.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. A flaw was discovered where the XMLRPC client implementation performed deserialization of the server-side exception serialized in the faultCause attribute of XMLRPC error response messages. A malicious or compromised XMLRPC server could possibly use this flaw to execute arbitrary code with the privileges of an application using the Apache XMLRPC client library.

How to fix Deserialization of Untrusted Data?

There is no fixed version for org.apache.xmlrpc:xmlrpc.

[3.1,)

Denial of Service (DoS)

org.apache.xmlrpc:xmlrpc is a Java implementation of XML-RPC, a popular protocol that uses XML over HTTP to implement remote procedure calls.

Affected versions of the package are vulnerable to Denial of Service (DoS). By default ws-xmlrpc supports Content-Encoding HTTP header. When sending Content-Encoding: gzip header, the body is not gzipped, and an error returns. An attacker may create a specially crafted compressed file and cause a Denial of Service attack, also known as decompression bomb attack.

[3.0,3.1.4)

Server-side Request Forgery (SSRF)

org.apache.xmlrpc:xmlrpc is a Java implementation of XML-RPC, a popular protocol that uses XML over HTTP to implement remote procedure calls.

Affected versions of the package are vulnerable to Server Side Request Forgery (SSRF). Sending an XML with a DOCTYPE declaration that loads an external DTD, a malicious user can send a GET request to the host on behalf of a vulnerable xml-rpc endpoint.

[3.0,3.1.4)

org.apache.xmlrpc:xmlrpc@3.1.1 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

How to fix?