[java-sig-commits] [Bug 1508129] New: CVE-2016-5004 xmlrpc: XSS in Content-Encoding HTTP header of xmlrpc

31 Oct 2017


      https://bugzilla.redhat.com/show_bug.cgi?id=1508129
Bug ID: 1508129
           Summary: CVE-2016-5004 xmlrpc: XSS in Content-Encoding HTTP
                    header of xmlrpc
           Product: Security Response
         Component: vulnerability
          Keywords: Security
          Severity: low
          Priority: low
          Assignee: security-response-team@redhat.com
          Reporter: psampaio@redhat.com
                CC: abhgupta@redhat.com, bmcclain@redhat.com,
                    dbhole@redhat.com, dblechte@redhat.com,
                    dwalluck@redhat.com, eedri@redhat.com,
                    hhorak@redhat.com, java-maint@redhat.com,
                    java-sig-commits@lists.fedoraproject.org,
                    jorton@redhat.com, krzysztof.daniel@gmail.com,
                    kseifried@redhat.com, mgoldboi@redhat.com,
                    michal.skrivanek@redhat.com, mizdebsk@redhat.com,
                    msimacek@redhat.com, puntogil@libero.it,
                    sbonazzo@redhat.com, sherold@redhat.com,
                    sochotni@redhat.com, tiwillia@redhat.com,
                    ykaul@redhat.com, ylavi@redhat.com
The Content-Encoding HTTP header feature in ws-xmlrpc 3.1.3 as used in Apache
Archiva allows remote attackers to cause a denial of service (resource
consumption) by decompressing a large file containing zeroes.
References:
http://www.openwall.com/lists/oss-security/2016/07/12/5
https://0ang3el.blogspot.in/2016/07/beware-of-ws-xmlrpc-library-in-your.html
-- 
You are receiving this mail because:
You are on the CC list for the bug.

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

[java-sig-commits] [Bug 1508129] New: CVE-2016-5004 xmlrpc: XSS in Content-Encoding HTTP header of xmlrpc