Description

JavaMelody is a tool used to monitor Java or Java EE applications in QA and production environments.

JavaMelody versions before 1.74.0 are affected by an XML External Entity (XXE) processing vulnerability via parseSoapMethodName in bull/javamelody/PayloadNameRequestWrapper.java. This vulnerability allows an attacker to send crafted requests to a web application for extraction of secrets from the file system, server-side request forgery, or denial-of-service attacks.

Remediation

Upgrade to the latest version of JavaMelody. This vulnerability was fixed in version 1.74.0.

References

JavaMelody version 1.74.0

Related Vulnerabilities

JBoss InvokerTransformer Remote Code Execution

Zend Framework local file disclosure via XXE injection

MantisBT multiple security issues

ForgeRock AM / OpenAM Deserialization RCE (CVE-2021-35464)

Ubiquiti Unifi Log4Shell RCE

Severity

High

Classification

CVE-2018-15531 CWE-611 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

XXE Acumonitor Denial Of Service