CVE-2016-5003: Deserialization of Untrusted Data
(updated )
A flaw was discovered in the Apache XML-RPC (ws-xmlrpc) library that deserializes untrusted data when enabledForExtensions setting is enabled. A remote attacker could use this vulnerability to execute arbitrary code via a crafted serialized Java object in a ex:serializable element.
References
- www.openwall.com/lists/oss-security/2016/07/12/5
- www.openwall.com/lists/oss-security/2020/01/16/1
- www.openwall.com/lists/oss-security/2020/01/24/2
- 0ang3el.blogspot.ru/2016/07/beware-of-ws-xmlrpc-library-in-your.html
- access.redhat.com/errata/RHSA-2018:1779
- access.redhat.com/errata/RHSA-2018:1780
- access.redhat.com/errata/RHSA-2018:1784
- access.redhat.com/errata/RHSA-2018:2317
- access.redhat.com/errata/RHSA-2018:3768
- access.redhat.com/security/cve/CVE-2016-5003
- bugzilla.redhat.com/show_bug.cgi?id=1508123
- exchange.xforce.ibmcloud.com/vulnerabilities/115043
- github.com/advisories/GHSA-4gqp-296r-j5mq
- nvd.nist.gov/vuln/detail/CVE-2016-5003
- web.archive.org/web/20160716070844/http://www.securitytracker.com/id/1036294
- web.archive.org/web/20171111065719/http://www.securityfocus.com/bid/91736
- web.archive.org/web/20200227235226/http://www.securityfocus.com/bid/91738
Detect and mitigate CVE-2016-5003 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →