CVE-2016-5002
HIGHApache XML-RPC 3.1.3 - XML External Entity Injection via Crafted DTD
Title source: llmDescription
XML external entity (XXE) vulnerability in the Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted DTD.
References (7)
Core 7
Core References
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2016/07/12/5
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1036294
Issue Tracking, Third Party Advisory x_refsource_misc
https://0ang3el.blogspot.in/2016/07/beware-of-ws-xmlrpc-library-in-your.html
Issue Tracking, Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/115042
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/91736
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:3768
Third Party Advisory
https://security.gentoo.org/glsa/202401-26
Scores
CVSS v3
7.8
EPSS
0.0353
EPSS Percentile
87.8%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-611
Status
published
Products (2)
apache/xml-rpc
3.1.3
org.apache.xmlrpc/xmlrpc
0Maven
Published
Oct 27, 2017
Tracked Since
Feb 18, 2026