Deserialization of Untrusted Data
Description
Enabling extensions in Apache XML RPC server or client can lead to deserialization vulnerability which would allow an attacker to execute arbitrary code.
Examples
Insecure Code
scala
val config = new XmlRpcServerConfigImpl(); config.setEnabledForExtensions(true);Secure Code
scala
val config = new XmlRpcServerConfigImpl(); config.setEnabledForExtensions(false);Remediation
Disable extensions for Apache XML RPC server or client by setting setEnabledForExtensions to false.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0078 |
| Category | Deserialization |
| Severity | HIGH |
| CWE | CWE-502 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | deserialization, apache, xmlrpc |
| OWASP | N/A |