0Ang3El

**Name of the Vulnerable Software and Affected Versions** Apache CXF versions prior to 3.0.12 Apache CXF versions 3.1.x prior to 3.1.9 **Description** The issue concerns the JAX-RS module in Apache CXF, which provides Atom JAX-RS MessageBodyReaders that utilize the Apache Abdera Parser. This parser expands XML entities by default, posing a significant XML External Entity (XXE) risk. **Recommendations** For Apache CXF versions prior to 3.0.12, update to version 3.0.12 or later. For Apache CXF versions 3.1.x prior to 3.1.9, update to version 3.1.9 or later.

**Name of the Vulnerable Software and Affected Versions** ws-xmlrpc version 3.1.3 **Description** The issue allows remote attackers to cause a denial of service by decompressing a large file containing zeroes, exploiting the Content-Encoding HTTP header feature. **Recommendations** For ws-xmlrpc version 3.1.3, consider disabling the Content-Encoding HTTP header feature as a temporary workaround until a patch is available. Restrict access to large files to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apache XML-RPC library version 3.1.3 **Description** The issue allows remote attackers to execute arbitrary code via a crafted serialized Java object in an <ex:serializable> element. This is due to the library's failure to properly verify data from external sources. Exploitation of this issue can enable a remote attacker to execute arbitrary code using a specially formed serialized Java object with the <ex:serializable> element. **Recommendations** For Apache XML-RPC library version 3.1.3, consider disabling the use of <ex:serializable> elements until a patch is available to prevent exploitation. Restrict access to the library to minimize the risk of remote code execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apache XML-RPC library version 3.1.3 **Description** The issue is related to an XML external entity (XXE) vulnerability in the Apache XML-RPC library. This vulnerability allows remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted DTD. The vulnerability is caused by incorrect restriction of XML links to external objects. **Recommendations** For Apache XML-RPC library version 3.1.3, consider disabling the XML external entity processing to prevent SSRF attacks until a patch is available. Restrict access to the library to minimize the risk of exploitation. Avoid using crafted DTDs in the affected library until the issue is resolved.