ID CVE-2016-5003
Summary The Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to execute arbitrary code via a crafted serialized Java object in an <ex:serializable> element.
References
Vulnerable Configurations
  • cpe:2.3:a:apache:ws-xmlrpc:3.1.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:ws-xmlrpc:3.1.3:*:*:*:*:*:*:*
CVSS
Base: 7.5 (as of 05-12-2018 - 11:29)
Impact:
Exploitability:
CWE CWE-502
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
redhat via4
advisories
  • bugzilla
    id 1508123
    title tag
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhba:tst:20111656001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhba:tst:20111656002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhba:tst:20111656003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhba:tst:20111656004
    • OR
      • AND
        • comment xmlrpc3-client is earlier than 0:3.0-4.17.el6_9
          oval oval:com.redhat.rhsa:tst:20181779007
        • comment xmlrpc3-client is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20181779008
      • AND
        • comment xmlrpc3-client-devel is earlier than 0:3.0-4.17.el6_9
          oval oval:com.redhat.rhsa:tst:20181779009
        • comment xmlrpc3-client-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20181779010
      • AND
        • comment xmlrpc3-common is earlier than 0:3.0-4.17.el6_9
          oval oval:com.redhat.rhsa:tst:20181779005
        • comment xmlrpc3-common is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20181779006
      • AND
        • comment xmlrpc3-common-devel is earlier than 0:3.0-4.17.el6_9
          oval oval:com.redhat.rhsa:tst:20181779011
        • comment xmlrpc3-common-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20181779012
      • AND
        • comment xmlrpc3-javadoc is earlier than 0:3.0-4.17.el6_9
          oval oval:com.redhat.rhsa:tst:20181779017
        • comment xmlrpc3-javadoc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20181779018
      • AND
        • comment xmlrpc3-server is earlier than 0:3.0-4.17.el6_9
          oval oval:com.redhat.rhsa:tst:20181779013
        • comment xmlrpc3-server is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20181779014
      • AND
        • comment xmlrpc3-server-devel is earlier than 0:3.0-4.17.el6_9
          oval oval:com.redhat.rhsa:tst:20181779015
        • comment xmlrpc3-server-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20181779016
    rhsa
    id RHSA-2018:1779
    released 2018-05-31
    severity Important
    title RHSA-2018:1779: xmlrpc3 security update (Important)
  • bugzilla
    id 1508123
    title tag
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhba:tst:20150364001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhba:tst:20150364002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhba:tst:20150364003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhba:tst:20150364004
    • OR
      • AND
        • comment xmlrpc-client is earlier than 1:3.1.3-9.el7_5
          oval oval:com.redhat.rhsa:tst:20181780005
        • comment xmlrpc-client is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20181780006
      • AND
        • comment xmlrpc-common is earlier than 1:3.1.3-9.el7_5
          oval oval:com.redhat.rhsa:tst:20181780011
        • comment xmlrpc-common is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20181780012
      • AND
        • comment xmlrpc-javadoc is earlier than 1:3.1.3-9.el7_5
          oval oval:com.redhat.rhsa:tst:20181780007
        • comment xmlrpc-javadoc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20181780008
      • AND
        • comment xmlrpc-server is earlier than 1:3.1.3-9.el7_5
          oval oval:com.redhat.rhsa:tst:20181780009
        • comment xmlrpc-server is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20181780010
    rhsa
    id RHSA-2018:1780
    released 2018-05-31
    severity Important
    title RHSA-2018:1780: xmlrpc security update (Important)
  • rhsa
    id RHSA-2018:1784
  • rhsa
    id RHSA-2018:2317
  • rhsa
    id RHSA-2018:3768
rpms
  • xmlrpc3-client-0:3.0-4.17.el6_9
  • xmlrpc3-client-devel-0:3.0-4.17.el6_9
  • xmlrpc3-common-0:3.0-4.17.el6_9
  • xmlrpc3-common-devel-0:3.0-4.17.el6_9
  • xmlrpc3-javadoc-0:3.0-4.17.el6_9
  • xmlrpc3-server-0:3.0-4.17.el6_9
  • xmlrpc3-server-devel-0:3.0-4.17.el6_9
  • xmlrpc-client-1:3.1.3-9.el7_5
  • xmlrpc-common-1:3.1.3-9.el7_5
  • xmlrpc-javadoc-1:3.1.3-9.el7_5
  • xmlrpc-server-1:3.1.3-9.el7_5
refmap via4
bid
  • 91736
  • 91738
misc https://0ang3el.blogspot.ru/2016/07/beware-of-ws-xmlrpc-library-in-your.html
mlist [oss-security] 20160712 Vulnerabilities in Apache Archiva
sectrack 1036294
xf apache-archiva-cve20165003-code-exec(115043)
Last major update 05-12-2018 - 11:29
Published 27-10-2017 - 18:29
Back to Top