CVE-2016-5002: XEE
First published: Fri Oct 27 2017(Updated: )
XML external entity (XXE) vulnerability in the Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted DTD.
Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.apache.xmlrpc:xmlrpc | <=3.1.3 | |
| PHP XML-RPC | =3.1.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2016-5002
- https://access.redhat.com/errata/RHSA-2018:3768
- https://exchange.xforce.ibmcloud.com/vulnerabilities/115042
- http://www.openwall.com/lists/oss-security/2016/07/12/5
- https://web.archive.org/web/20210123151805/http://www.securityfocus.com/bid/91736
- https://web.archive.org/web/20211021044107/http://www.securitytracker.com/id/1036294
- https://web.archive.org/web/20230520164025/https://0ang3el.blogspot.com/2016/07/beware-of-ws-xmlrpc-library-in-your.html
- https://github.com/advisories/GHSA-wp35-6jqv-r33m (Advisory)
- http://www.securityfocus.com/bid/91736
- http://www.securitytracker.com/id/1036294
- https://0ang3el.blogspot.in/2016/07/beware-of-ws-xmlrpc-library-in-your.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1508111
- https://src.fedoraproject.org/rpms/xmlrpc/c/2db59ec8a8b4d358802e98ce0151af84d7b93752?branch=master
- https://bugzilla.redhat.com/show_bug.cgi?id=1508110
- https://security.gentoo.org/glsa/202401-26
Frequently Asked Questions
What is the severity of CVE-2016-5002?
CVE-2016-5002 has been classified with a high severity rating due to its potential for server-side request forgery (SSRF) attacks.
How do I fix CVE-2016-5002?
To fix CVE-2016-5002, upgrade to a version of Apache XML-RPC later than 3.1.3 that does not contain the vulnerability.
What are the impacts of CVE-2016-5002?
The impact of CVE-2016-5002 includes unauthorized access to internal resources and potential data leakage via malicious XML inputs.
Which versions are affected by CVE-2016-5002?
CVE-2016-5002 specifically affects Apache XML-RPC version 3.1.3.
Is CVE-2016-5002 an executable vulnerability?
No, CVE-2016-5002 is not an executable vulnerability, but rather an XML external entity (XXE) vulnerability that can be exploited through crafted XML requests.
- agent/weakness
- agent/type
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2016-5002
- agent/severity
- agent/references
- agent/description
- agent/first-publish-date
- agent/author
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-wp35-6jqv-r33m
- agent/software-canonical-lookup
- agent/softwarecombine
- agent/event
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- collector/nvd-api
- package-manager/maven
- vendor/apache
- canonical/php xml-rpc
- version/php xml-rpc/3.1.3