Server-side Request Forgery (SSRF) Affecting org.apache.roller:roller-webapp package, versions [,5.2.2)

  • Attack Complexity


Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id


  • published

    29 May 2019

  • disclosed

    28 May 2019

  • credit

    Arseniy Sharoglazov.

How to fix?

Upgrade org.apache.roller:roller-webapp to version 5.2.2 or higher.

Note: Editing the Roller web.xml file and comment out the XML-RPC Servlet mapping manually will fix the vulnerability as well:



org.apache.roller:roller-webapp is a None

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to relying on Java SAX Parser to implement its XML-RPC interface and by default that parser supports external entities in XML DOCTYPE.