Server-side Request Forgery (SSRF) Affecting org.apache.roller:roller-webapp package, versions [,5.2.2)


0.0
medium
  • Attack Complexity

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-JAVA-ORGAPACHEROLLER-174811

  • published

    29 May 2019

  • disclosed

    28 May 2019

  • credit

    Arseniy Sharoglazov.

How to fix?

Upgrade org.apache.roller:roller-webapp to version 5.2.2 or higher.

Note: Editing the Roller web.xml file and comment out the XML-RPC Servlet mapping manually will fix the vulnerability as well:

<!--
<servlet-mapping>
<servlet-name>XmlRpcServlet</servlet-name>
<url-pattern>/roller-services/xmlrpc</url-pattern>
</servlet-mapping>
-->

Overview

org.apache.roller:roller-webapp is a None

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to relying on Java SAX Parser to implement its XML-RPC interface and by default that parser supports external entities in XML DOCTYPE.