Site icon API Security Blog

GLSA-202401-26 : Apache XML-RPC: Multiple Vulnerabilities

The remote host is affected by the vulnerability described in GLSA-202401-26 (Apache XML-RPC: Multiple Vulnerabilities) XML external entity (XXE) vulnerability in the Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted DTD. (CVE-2016-5002) The Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to execute arbitrary code via a crafted serialized Java object in an element. (CVE-2016-5003) An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue will not be fixed. (CVE-2019-17570) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version…Read More

Exit mobile version