The Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to execute arbitrary code via a crafted serialized Java object in an ex:serializable element.
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Ws-xmlrpc | Apache | 3.1.3 (including) | 3.1.3 (including) |
| Red Hat Enterprise Linux 6 | RedHat | xmlrpc3-0:3.0-4.17.el6_9 | * |
| Red Hat Enterprise Linux 7 | RedHat | xmlrpc-1:3.1.3-9.el7_5 | * |
| Red Hat Fuse 7.2 | RedHat | camel | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 6 | RedHat | rh-java-common-xmlrpc-1:3.1.3-8.16.el6 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS | RedHat | rh-java-common-xmlrpc-1:3.1.3-8.16.el6 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | RedHat | rh-java-common-xmlrpc-1:3.1.3-8.16.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS | RedHat | rh-java-common-xmlrpc-1:3.1.3-8.16.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS | RedHat | rh-java-common-xmlrpc-1:3.1.3-8.16.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS | RedHat | rh-java-common-xmlrpc-1:3.1.3-8.16.el7 | * |
| Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 | RedHat | xmlrpc-1:3.1.3-9.el7_5 | * |