CVE-2016-5003: xmlrpc: Deserialization of untrusted Java object through <ex:serializable> tag

Severity: Critical

CVSS Score: 9.8

The Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to execute arbitrary code via a crafted serialized Java object in an <ex:serializable> element.