CVE-2016-5002 : XML external entity (XXE) vulnerability in the Apache XML-RPC (aka ws-xmlrpc) li

XML external entity (XXE) vulnerability in the Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted DTD.

Published 2017-10-27 18:29:00

Updated 2024-01-22 17:15:08

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: XML external entity (XXE) injectionServer-side request forgery (SSRF)

Products affected by CVE-2016-5002

Apache » Xml-rpc » Version: 3.1.3
cpe:2.3:a:apache:xml-rpc:3.1.3:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2016-5002

EPSS FAQ

7.83%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 91 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2016-5002

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
9.3	HIGH	AV:N/AC:M/Au:N/C:C/I:C/A:C	8.6	10.0	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
7.8	HIGH	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2016-5002

CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2016-5002

http://www.securityfocus.com/bid/91736

Apache XML-RPC Multiple Security Vulnerabilities
Third Party Advisory;VDB Entry

CVEs referencing this url
https://security.gentoo.org/glsa/202401-26

Apache XML-RPC: Multiple Vulnerabilities (GLSA 202401-26) — Gentoo security

CVEs referencing this url
https://exchange.xforce.ibmcloud.com/vulnerabilities/115042

Apache Archiva ws-xmlrpc library server-side request forgery CVE-2016-5002 Vulnerability Report
Issue Tracking;Third Party Advisory;VDB Entry
https://access.redhat.com/errata/RHSA-2018:3768

RHSA-2018:3768 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
https://0ang3el.blogspot.in/2016/07/beware-of-ws-xmlrpc-library-in-your.html

Beware of ws-xmlrpc library in your Java App ~ Из крайности в безопасность
Issue Tracking;Third Party Advisory

CVEs referencing this url
http://www.securitytracker.com/id/1036294

Apache Archiva Bugs in XML-RPC Library Let Remote Users Conduct Server-Side Request Forgery Attacks, Deny Service, and Potentially Execute Arbitrary Code - SecurityTracker
Third Party Advisory;VDB Entry

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2016/07/12/5

oss-security - Vulnerabilities in Apache Archiva
Mailing List;Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2016-5002

Products affected by CVE-2016-5002

Exploit prediction scoring system (EPSS) score for CVE-2016-5002

CVSS scores for CVE-2016-5002

CWE ids for CVE-2016-5002

References for CVE-2016-5002