Server-side Request Forgery (SSRF) Affecting org.apache.xmlrpc:xmlrpc Open this link in a new tab package, versions [3.0,3.1.4)
Attack Complexity
Low
User Interaction
Required
Confidentiality
High
Integrity
High
Availability
High
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications-
snyk-id
SNYK-JAVA-ORGAPACHEXMLRPC-31032
-
published
13 Jul 2016
-
disclosed
13 Jul 2016
-
credit
0ang3el
Introduced: 13 Jul 2016
CVE-2016-5002 Open this link in a new tabOverview
org.apache.xmlrpc:xmlrpc
is a Java implementation of XML-RPC, a popular protocol that uses XML over HTTP to implement remote procedure calls.
Affected versions of the package are vulnerable to Server Side Request Forgery (SSRF). Sending an XML with a DOCTYPE
declaration that loads an external DTD, a malicious user can send a GET request to the host on behalf of a vulnerable xml-rpc
endpoint.