Description

JavaMelody is a tool used to monitor Java or Java EE applications in QA and production environments.

JavaMelody versions before 1.74.0 are affected by an XML External Entity (XXE) processing vulnerability via parseSoapMethodName in bull/javamelody/PayloadNameRequestWrapper.java. This vulnerability allows an attacker to send crafted requests to a web application for extraction of secrets from the file system, server-side request forgery, or denial-of-service attacks.

Remediation

Upgrade to the latest version of JavaMelody. This vulnerability was fixed in version 1.74.0.

References

JavaMelody version 1.74.0

Related Vulnerabilities

Oracle WebLogic Remote Code Execution via T3

OpenCms Solr XML External Entity (XXE) vulnerability

XSLT injection

XML external entity injection

Oracle Business Intelligence ReportTemplateService XXE CVE-2019-2616

Severity

High

Classification

CVE-2018-15531 CWE-611 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

XXE Acumonitor Denial Of Service