DSA-4619-1 libxmlrpc3-java -- libxmlrpc3-javaID: oval:org.secpod.oval:def:69949 | Date: (C)2021-03-07 (M)2024-01-29 |
Class: PATCH | Family: unix |
Guillaume Teissier reported that the XMLRPC client in libxmlrpc3-java, an XML-RPC implementation in Java, does perform deserialization of the server-side exception serialized in the faultCause attribute of XMLRPC error response messages. A malicious XMLRPC server can take advantage of this flaw to execute arbitrary code with the privileges of an application using the Apache XMLRPC client library. Note that a client that expects to get server-side exceptions need to set explicitly the enabledForExceptions property.
Product: |
libxmlrpc3-java-doc |