Server-side Request Forgery (SSRF) Affecting org.apache.xmlrpc:xmlrpc package, versions [3.0,3.1.4)

Attack Complexity

Low
User Interaction

Required
Confidentiality

High
Integrity

High
Availability

High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

snyk-id

SNYK-JAVA-ORGAPACHEXMLRPC-31032
published

13 Jul 2016
disclosed

13 Jul 2016
credit

0ang3el

Report a new vulnerability Found a mistake?

Introduced: 13 Jul 2016

CVE-2016-5002 Open this link in a new tab CWE-918 Open this link in a new tab

Overview

org.apache.xmlrpc:xmlrpc is a Java implementation of XML-RPC, a popular protocol that uses XML over HTTP to implement remote procedure calls.

Affected versions of the package are vulnerable to Server Side Request Forgery (SSRF). Sending an XML with a DOCTYPE declaration that loads an external DTD, a malicious user can send a GET request to the host on behalf of a vulnerable xml-rpc endpoint.

Server-side Request Forgery (SSRF) Affecting org.apache.xmlrpc:xmlrpc package, versions [3.0,3.1.4)

Attack Complexity

User Interaction

Confidentiality

Integrity

Availability

snyk-id

published

disclosed

credit

Introduced: 13 Jul 2016

Overview

References