CVE-2016-5004: Uncontrolled Resource Consumption

May 17, 2022 (updated July 31, 2023)

The Content-Encoding HTTP header feature in ws-xmlrpc 3.1.3 as used in Apache Archiva allows remote attackers to cause a denial of service (resource consumption) by decompressing a large file containing zeroes.

References

www.openwall.com/lists/oss-security/2016/07/12/5
www.securityfocus.com/bid/91736
www.securitytracker.com/id/1036294
0ang3el.blogspot.in/2016/07/beware-of-ws-xmlrpc-library-in-your.html
github.com/0ang3el/unsafe-xmlrpc
github.com/advisories/GHSA-r2pg-w96p-pcpj
nvd.nist.gov/vuln/detail/CVE-2016-5004

Code Behaviors & Features

Detect and mitigate CVE-2016-5004 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →