roller-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave <snoopd...@gmail.com>
Subject CVE-2014-0030 Apache Roller XML-RPC susceptible to XML Entended Entity attacks
Date Sat, 11 Jan 2014 22:12:23 GMT
Severity: important

Vendor: The Apache Software Foundation

Versions Affected:
Roller 4.0.0 and 4.0.1
Roller 5.0, 5.0.1 and 5.0.2
The unsupported Roller 3.1 release is also affected

Description:
Roller's XML-RPC protocol support was susceptible to XML Extended Entity
based attacks. This vulnerability exists even if XML-RPC is disabled via
the Roller Admin Console.

Mitigation
Roller 4.0 and 4.0.1 users should upgrade to Roller 5.0.3
Roller 5.0, 5.0.1 and 5.0.2 users should upgrade to Roller 5.0.3
Roller 3.1 users should upgrade to Roller 5.0.3

Credit:
Adam Baldwin

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message