CVE-2020-36641: 
Java vulnerability analysis and mitigation

A vulnerability classified as problematic was found in gturri aXMLRPC up to version 1.12.0. The vulnerability affects the ResponseParser function in the file src/main/java/de/timroes/axmlrpc/ResponseParser.java, which is susceptible to XML external entity reference attacks. The issue was discovered and disclosed on January 5, 2023, and has been assigned identifier CVE-2020-36641 (CVE).

The vulnerability stems from improper handling of XML external entity references in the ResponseParser function. The issue relates to CWE-611, which involves XML parser configurations that could allow exploitation through external entity references. The vulnerability was addressed by implementing security features in the XML parser configuration, including setting 'disallow-doctype-decl' to true and disabling entity reference expansion (GitHub Commit).

If exploited, this vulnerability could allow attackers to perform XML external entity (XXE) attacks, potentially leading to unauthorized access to system files, server-side request forgery, or denial of service conditions (CVE).

The vulnerability has been fixed in aXMLRPC version 1.14.0. Users are recommended to upgrade to this version or later. The fix includes implementing proper XML parser security configurations and can be identified by the patch 456752ebc1ef4c0db980cb5b01a0b3cd0a9e0bae (GitHub Release).