{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-14T21:03:26.391","vulnerabilities":[{"cve":{"id":"CVE-2018-17198","sourceIdentifier":"security@apache.org","published":"2019-05-28T18:29:00.273","lastModified":"2024-11-21T03:54:04.610","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Server-side Request Forgery (SSRF) and File Enumeration vulnerability in Apache Roller 5.2.1, 5.2.0 and earlier unsupported versions relies on Java SAX Parser to implement its XML-RPC interface and by default that parser supports external entities in XML DOCTYPE, which opens Roller up to SSRF \/ File Enumeration vulnerability. Note that this vulnerability exists even if Roller XML-RPC interface is disable via the Roller web admin UI. Mitigation: There are a couple of ways you can fix this vulnerability: 1) Upgrade to the latest version of Roller, which is now 5.2.2 2) Or, edit the Roller web.xml file and comment out the XML-RPC Servlet mapping as shown below: <!-- <servlet-mapping> <servlet-name>XmlRpcServlet<\/servlet-name> <url-pattern>\/roller-services\/xmlrpc<\/url-pattern> <\/servlet-mapping> -->"},{"lang":"es","value":"Vulnerabilidad de falsificación de peticiónes (SSRF) y de enumeración de archivos en el lado del servidor en Apache Roller versión 5.2.1, 5.2.0 y  anteriores no compatibles, se basa en Java SAX Parser para implementar su interfaz XML-RPC y, por defecto, este analizador admite entidades externas en XML DOCTYPE, que expone a Roller a la vulnerabilidad de tipo SSRF o enumeración de archivos. Es importante indicar que esta vulnerabilidad se presenta incluso si la interfaz Roller XML-RPC está deshabilitada por medio de la interfaz de usuario administrador de Roller Web. Mitigación: se presenta un par de formas en que se puede solucionar esta vulnerabilidad: 1) Actualice a la última versión de Roller, que ahora es versión 5.2.2 2) o, edite el archivo Roller web.xml y comente el mapeo Servlet XML-RPC como se indica a continuación:"}],"metrics":{"cvssMetricV30":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.0","vectorString":"CVSS:3.0\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N\/AC:L\/Au:N\/C:P\/I:P\/A:P","baseScore":7.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"HIGH","exploitabilityScore":10.0,"impactScore":6.4,"acInsufInfo":true,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-918"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:roller:*:*:*:*:*:*:*:*","versionEndIncluding":"5.1.2","matchCriteriaId":"89B0F0AE-B2C0-46EF-8F4E-536C7D5BEB00"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:roller:5.2.0:-:*:*:*:*:*:*","matchCriteriaId":"3BF42DD4-DC14-4431-B003-F47573F48F44"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:roller:5.2.0:rc2:*:*:*:*:*:*","matchCriteriaId":"6111BFC4-E2DC-4F24-AC3E-E8B0A2F59EE4"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:roller:5.2.0:rc3:*:*:*:*:*:*","matchCriteriaId":"317F3048-B64D-4025-B32A-7253D92099E9"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:roller:5.2.0:rc4:*:*:*:*:*:*","matchCriteriaId":"AFE5F4B0-FAC9-42BD-835D-8FE17BCFCAFE"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:roller:5.2.0:rc5:*:*:*:*:*:*","matchCriteriaId":"4B985BFD-C455-4348-9BDF-5ABB49EDE155"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:roller:5.2.0:rc6:*:*:*:*:*:*","matchCriteriaId":"0C2BDB35-8383-4FE5-8863-D46AA7CB3925"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:roller:5.2.1:*:*:*:*:*:*:*","matchCriteriaId":"92C690A2-4772-493E-8220-133E12692AC9"}]}]}],"references":[{"url":"http:\/\/www.securityfocus.com\/bid\/108496","source":"security@apache.org","tags":["Third Party Advisory"]},{"url":"https:\/\/lists.apache.org\/thread.html\/94a36ed9c6241558b1c6181d8dd4ff263be7903abd1d20067d4330d5%40%3Cdev.roller.apache.org%3E","source":"security@apache.org"},{"url":"http:\/\/www.securityfocus.com\/bid\/108496","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]},{"url":"https:\/\/lists.apache.org\/thread.html\/94a36ed9c6241558b1c6181d8dd4ff263be7903abd1d20067d4330d5%40%3Cdev.roller.apache.org%3E","source":"af854a3a-2127-422b-91ae-364da2661108"}]}}]}