Server-side Request Forgery (SSRF) Affecting org.apache.roller:roller-webapp Open this link in a new tab package, versions [,5.2.2)
Attack Complexity
High
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications-
snyk-id
SNYK-JAVA-ORGAPACHEROLLER-174811
-
published
29 May 2019
-
disclosed
28 May 2019
-
credit
Arseniy Sharoglazov.
Introduced: 28 May 2019
CVE-2018-17198 Open this link in a new tabHow to fix?
Upgrade org.apache.roller:roller-webapp
to version 5.2.2 or higher.
Note:
Editing the Roller web.xml
file and comment out the XML-RPC Servlet mapping manually will fix the vulnerability as well:
<!--
<servlet-mapping>
<servlet-name>XmlRpcServlet</servlet-name>
<url-pattern>/roller-services/xmlrpc</url-pattern>
</servlet-mapping>
-->
Overview
org.apache.roller:roller-webapp
is a None
Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF)
due to relying on Java SAX Parser to implement its XML-RPC
interface and by default that parser supports external entities in XML DOCTYPE
.