CVE-2011-3600

The /webtools/control/xmlrpc endpoint in OFBiz XML-RPC event handler is exposed to External Entity Injection by passing DOCTYPE declarations with executable payloads that discloses the contents of files in the filesystem. In addition, it can also be used to probe for open network ports, and figure out from returned error messages whether a file exists or not. This affects OFBiz 16.11.01 to 16.11.04.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
apacheofbiz
16.11.01 ≤
𝑥
≤ 16.11.04
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libxmlrpc3-java
hardy
ignored
lucid
ignored
maverick
not-affected
natty
not-affected
oneiric
not-affected
precise
not-affected
quantal
not-affected
raring
not-affected
saucy
not-affected
Common Weakness Enumeration
References
http://mail-archives.apache.org/mod_mbox/ofbiz-user/201810.mbox/%3Cfad45546-af86-0293-9ea7-014553474b30%40apache.org%3E
https://access.redhat.com/security/cve/cve-2011-3600
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3600
https://lists.apache.org/thread.html/7793319ae80ec350f7b82a8763460944f120ebe447f14a12155d0550%40%3Ccommits.ofbiz.apache.org%3E
https://security-tracker.debian.org/tracker/CVE-2011-3600
http://mail-archives.apache.org/mod_mbox/ofbiz-user/201810.mbox/%3Cfad45546-af86-0293-9ea7-014553474b30%40apache.org%3E
https://access.redhat.com/security/cve/cve-2011-3600
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3600
https://lists.apache.org/thread.html/7793319ae80ec350f7b82a8763460944f120ebe447f14a12155d0550%40%3Ccommits.ofbiz.apache.org%3E
https://security-tracker.debian.org/tracker/CVE-2011-3600