JavaMelody XML External Entity (XXE) vulnerability

Description
  • JavaMelody is a tool used to monitor Java or Java EE applications in QA and production environments.

    JavaMelody versions before 1.74.0 are affected by an XML External Entity (XXE) processing vulnerability via parseSoapMethodName in bull/javamelody/PayloadNameRequestWrapper.java. This vulnerability allows an attacker to send crafted requests to a web application for extraction of secrets from the file system, server-side request forgery, or denial-of-service attacks.
Remediation
  • Upgrade to the latest version of JavaMelody. This vulnerability was fixed in version 1.74.0.
References