CVE-2016-5002

Published: Oct 27, 2017Modified: May 13, 2026

7.8

Vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

XML external entity (XXE) vulnerability in the Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted DTD.

Affected (1)

Products: Apache: Xml Rpc

Apache

1 product

Xml Rpc

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Apache Xml Rpc	Version 3.1.3

Related CWEs

CWE-611

Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

References (14)

http://www.openwall.com/lists/oss-security/2016/07/12/5

Source: secalert@redhat.com

Mailing ListThird Party Advisory

http://www.securityfocus.com/bid/91736

Source: secalert@redhat.com

Third Party AdvisoryVDB Entry

http://www.securitytracker.com/id/1036294

Source: secalert@redhat.com

Third Party AdvisoryVDB Entry

https://0ang3el.blogspot.in/2016/07/beware-of-ws-xmlrpc-library-in-your.html

Source: secalert@redhat.com

Issue TrackingThird Party Advisory

https://access.redhat.com/errata/RHSA-2018:3768

Source: secalert@redhat.com

https://exchange.xforce.ibmcloud.com/vulnerabilities/115042

Source: secalert@redhat.com

Issue TrackingThird Party AdvisoryVDB Entry

https://security.gentoo.org/glsa/202401-26

Source: secalert@redhat.com

http://www.openwall.com/lists/oss-security/2016/07/12/5