JavaMelody has XXE via parseSoapMethodName in bull/javamelody/PayloadNameRequestWrapper.java. · CVE-2018-15531 · GitHub Advisory Database · GitHub

JavaMelody has XXE via parseSoapMethodName in bull/javamelody/PayloadNameRequestWrapper.java.

Critical severity GitHub Reviewed Published Oct 17, 2018 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

net.bull.javamelody:javamelody-core (Maven)

Affected versions

< 1.74.0

Patched versions

1.74.0

Description

JavaMelody before 1.74.0 has XXE via parseSoapMethodName in bull/javamelody/PayloadNameRequestWrapper.java.

References

Published to the GitHub Advisory Database Oct 17, 2018

Reviewed Jun 16, 2020

Last updated Jan 9, 2023

Severity

Critical

9.8

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H