redhat-certification does not properly restrict the number of recursive definitions of entities in XML documents, allowing an unauthenticated user to run a "Billion Laugh Attack"[1] by replying to XMLRPC methods when getting the status of an host. [1] https://en.wikipedia.org/wiki/Billion_laughs_attack
Acknowledgments: Name: Riccardo Schirone (Red Hat Product Security)
getHostStatus in view.py connects to an XMLRPC server provided by the user, who could setup a fake server and reply with a small XML file which, when parsed, uses a big amount of memory.