org.apache.xmlrpc:xmlrpc@3.1.3 vulnerabilities

Apache XML-RPC is a Java implementation of XML-RPC, a popular protocol that uses XML over HTTP to implement remote procedure calls. Compared to SOAP, or JAX-RPC, it is stable, much simpler and easier to handle. Version 3 of Apache XML-RPC introduces several important vendor extensions over the original XML-RPC specification.

Direct Vulnerabilities

Known vulnerabilities in the org.apache.xmlrpc:xmlrpc package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • C
Deserialization of Untrusted Data

org.apache.xmlrpc:xmlrpc is a Java implementation of XML-RPC, a popular protocol that uses XML over HTTP to implement remote procedure calls. Compared to SOAP, or JAX-RPC, it is stable, much simpler and easier to handle. Version 3 of Apache XML-RPC introduces several important vendor extensions over the original XML-RPC specification.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. A flaw was discovered where the XMLRPC client implementation performed deserialization of the server-side exception serialized in the faultCause attribute of XMLRPC error response messages. A malicious or compromised XMLRPC server could possibly use this flaw to execute arbitrary code with the privileges of an application using the Apache XMLRPC client library.

How to fix Deserialization of Untrusted Data?

There is no fixed version for org.apache.xmlrpc:xmlrpc.

[3.1,)
  • M
Denial of Service (DoS)

org.apache.xmlrpc:xmlrpc is a Java implementation of XML-RPC, a popular protocol that uses XML over HTTP to implement remote procedure calls.

Affected versions of the package are vulnerable to Denial of Service (DoS). By default ws-xmlrpc supports Content-Encoding HTTP header. When sending Content-Encoding: gzip header, the body is not gzipped, and an error returns. An attacker may create a specially crafted compressed file and cause a Denial of Service attack, also known as decompression bomb attack.

[3.0,3.1.4)
  • C
Deserialization of Untrusted Data

org.apache.xmlrpc:xmlrpc is a Java implementation of XML-RPC, a popular protocol that uses XML over HTTP to implement remote procedure calls.

Affected versions of the package are vulnerable to Deserialization of Untrusted Data. By default ws-xmlrpc supports java.io.Serializable data types through <ex:serializable> element. An attacker can leverage this to call a method and pass a serialized Java object in that element. ws-xmlrpc will deserialize the malicious object without validation.

[3.0,3.1.4)
  • H
Server-side Request Forgery (SSRF)

org.apache.xmlrpc:xmlrpc is a Java implementation of XML-RPC, a popular protocol that uses XML over HTTP to implement remote procedure calls.

Affected versions of the package are vulnerable to Server Side Request Forgery (SSRF). Sending an XML with a DOCTYPE declaration that loads an external DTD, a malicious user can send a GET request to the host on behalf of a vulnerable xml-rpc endpoint.

[3.0,3.1.4)