CVE-2016-5003

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Apache XML-RPC library version 3.1.3

Description The issue allows remote attackers to execute arbitrary code via a crafted serialized Java object in an ex:serializable element. This is due to the library's failure to properly verify data from external sources. Exploitation of this issue can enable a remote attacker to execute arbitrary code using a specially formed serialized Java object with the ex:serializable element.

Recommendations For Apache XML-RPC library version 3.1.3, consider disabling the use of ex:serializable elements until a patch is available to prevent exploitation. Restrict access to the library to minimize the risk of remote code execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

RCE

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

BDU:2018-00148

CESA-2018_1779

CESA-2018_1780

CVE-2016-5003

GHSA-4GQP-296R-J5MQ

MGASA-2019-0002

RHSA-2018:1779

RHSA-2018:1780

RHSA-2018:1784

RHSA-2018:2317

RHSA-2018_1779

RHSA-2018_1780

Affected Products

Apache Xml-Rpc Library

Centos

Red Hat

CVE-2016-5003

Weakness Enumeration

Related Identifiers

Affected Products

References · 32