https://bugzilla.redhat.com/show_bug.cgi?id=1508129
Bug ID: 1508129 Summary: CVE-2016-5004 xmlrpc: XSS in Content-Encoding HTTP header of xmlrpc Product: Security Response Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team@redhat.com Reporter: psampaio@redhat.com CC: abhgupta@redhat.com, bmcclain@redhat.com, dbhole@redhat.com, dblechte@redhat.com, dwalluck@redhat.com, eedri@redhat.com, hhorak@redhat.com, java-maint@redhat.com, java-sig-commits@lists.fedoraproject.org, jorton@redhat.com, krzysztof.daniel@gmail.com, kseifried@redhat.com, mgoldboi@redhat.com, michal.skrivanek@redhat.com, mizdebsk@redhat.com, msimacek@redhat.com, puntogil@libero.it, sbonazzo@redhat.com, sherold@redhat.com, sochotni@redhat.com, tiwillia@redhat.com, ykaul@redhat.com, ylavi@redhat.com
The Content-Encoding HTTP header feature in ws-xmlrpc 3.1.3 as used in Apache Archiva allows remote attackers to cause a denial of service (resource consumption) by decompressing a large file containing zeroes.
References:
http://www.openwall.com/lists/oss-security/2016/07/12/5 https://0ang3el.blogspot.in/2016/07/beware-of-ws-xmlrpc-library-in-your.html