9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-36641

GHSA ID

GHSA-g4r8-28fp-f255

EPSS Score

0.27023%

CWE

CWE-611

Published

1/5/2023

Updated

2/13/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-36641

CVE-2020-36641: aXMLRPC XML External Entity vulnerability

A vulnerability classified as problematic was found in gturri aXMLRPC up to 1.12.0. This vulnerability affects the function ResponseParser of the file src/main/java/de/timroes/axmlrpc/ResponseParser.java. The manipulation leads to xml external entity reference. Upgrading to version 1.12.1 is able to address this issue. The name of the patch is ad6615b3ec41353e614f6ea5fdd5b046442a832b. It is recommended to upgrade the affected component. VDB-217450 is the identifier assigned to this vulnerability.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-36641

GHSA ID

GHSA-g4r8-28fp-f255

EPSS Score

0.27023%

CWE

CWE-611

Published

1/5/2023

Updated

2/13/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
fr.turri:aXMLRPC	maven	< 1.12.1	1.12.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the ResponseParser's XML parsing implementation. The commit ad6615b3 explicitly modifies the parse() method to add security features (disallow-doctype-decl, expandEntityReferences=false) that mitigate XXE. The CVE description directly references this function as the affected component, and the patch location confirms the vulnerability existed in the XML parser initialization within this method.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility *l*ssi*i** *s pro*l*m*ti* w*s *oun* in *turri *XMLRP* up to *.**.*. T*is vuln*r**ility *****ts t** *un*tion `R*spons*P*rs*r` o* t** *il* `sr*/m*in/j*v*/**/timro*s/*xmlrp*/R*spons*P*rs*r.j*v*`. T** m*nipul*tion l***s to xml *xt*rn*l *n

Reasoning

T** vuln*r**ility st*ms *rom t** `R*spons*P*rs*r`'s XML p*rsin* impl*m*nt*tion. T** *ommit `********` *xpli*itly mo*i*i*s t** `p*rs*()` m*t*o* to *** s**urity ***tur*s (*is*llow-*o*typ*-***l, *xp*n**ntityR***r*n**s=**ls*) t**t miti**t* XX*. T** *V* *

9.8

Basic Information

Concerned about an active attack path?

CVE-2020-36641: aXMLRPC XML External Entity vulnerability

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI