oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Vulnerabilities in Apache Archiva

From: 0ang3el 0ang3el <0ang3el () gmail com>
Date: Tue, 12 Jul 2016 15:40:56 +0300
Hello!

I have recently found three vulnerabilities in ws-xmlrpc library -
https://ws.apache.org/xmlrpc/. Apache Security Team have assigned three CVE
numbers for Apache Archiva project as it uses ws-xmlrpc library.

Here is the list of vulnerabilities with CVE numbers:

   - CVE-2016-5002 - SSRF attack via loading external DTD in ws-xmlrpc.
   - CVE-2016-5003 - Deserialization of untrusted data via serializable
   data type in ws-xmlrpc.
   - CVE-2016-5004 - DoS attack via Content-Encoding header in ws-xmlrpc.

Technical details regarding vulnerabilities are in this post -
https://0ang3el.blogspot.ru/2016/07/beware-of-ws-xmlrpc-library-in-your.html
.

Regards, 0ang3el.
Previous By Date Next
Previous By Thread Next

Current thread: