CVE-2011-3600

NameCVE-2011-3600
DescriptionThe /webtools/control/xmlrpc endpoint in OFBiz XML-RPC event handler is exposed to External Entity Injection by passing DOCTYPE declarations with executable payloads that discloses the contents of files in the filesystem. In addition, it can also be used to probe for open network ports, and figure out from returned error messages whether a file exists or not. This affects OFBiz 16.11.01 to 16.11.04.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libxmlrpc3-java (PTS)jessie3.1.3-7fixed
jessie (security)3.1.3-7+deb8u1fixed
stretch3.1.3-8fixed
stretch (security)3.1.3-8+deb9u1fixed
buster3.1.3-9fixed
buster (security)3.1.3-9+deb10u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libxmlrpc3-javasource(unstable)3.1.3-1low

Notes

[lenny] - libxmlrpc3-java <no-dsa> (Minor issue)

Search for package or bug name: Reporting problems