CVE-2018-17198

Name of the Vulnerable Software and Affected Versions Apache Roller versions 5.2.1, 5.2.0 and earlier

Description The issue is related to Server-side Request Forgery (SSRF) and File Enumeration vulnerability. It relies on the Java SAX Parser, which supports external entities in XML DOCTYPE by default, making Apache Roller vulnerable to SSRF and File Enumeration attacks. This vulnerability exists even if the Roller XML-RPC interface is disabled via the Roller web admin UI.

Recommendations For Apache Roller versions 5.2.1, 5.2.0 and earlier, upgrade to the latest version, which is 5.2.2. Alternatively, edit the Roller web.xml file and comment out the XML-RPC Servlet mapping, specifically the XmlRpcServlet with the url-pattern /roller-services/xmlrpc.