You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@roller.apache.org by Dave <sn...@gmail.com> on 2014/01/11 23:12:23 UTC
CVE-2014-0030 Apache Roller XML-RPC susceptible to XML Entended
Entity attacks
Severity: important
Vendor: The Apache Software Foundation
Versions Affected:
Roller 4.0.0 and 4.0.1
Roller 5.0, 5.0.1 and 5.0.2
The unsupported Roller 3.1 release is also affected
Description:
Roller's XML-RPC protocol support was susceptible to XML Extended Entity
based attacks. This vulnerability exists even if XML-RPC is disabled via
the Roller Admin Console.
Mitigation
Roller 4.0 and 4.0.1 users should upgrade to Roller 5.0.3
Roller 5.0, 5.0.1 and 5.0.2 users should upgrade to Roller 5.0.3
Roller 3.1 users should upgrade to Roller 5.0.3
Credit:
Adam Baldwin