CVE-2013-7285

Опубликовано: 15 мая 2019

Источник: nvd

CVSS3: 9.8

CVSS2: 7.5

EPSS Средний

Описание

Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.

Ссылки

http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
Broken Link
Not Applicable
URL Repurposed
http://seclists.org/oss-sec/2014/q1/69
Mailing List
Third Party Advisory
http://web.archive.org/web/20140204133306/http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
Third Party Advisory
https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1%40%3Cissues.activemq.apache.org%3E
Mailing List
https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369%40%3Cissues.activemq.apache.org%3E
Mailing List
https://www.mail-archive.com/user%40xstream.codehaus.org/msg00604.html
Third Party Advisory
https://www.mail-archive.com/user%40xstream.codehaus.org/msg00607.html
Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html
Third Party Advisory
https://x-stream.github.io/CVE-2013-7285.html
Exploit
Third Party Advisory
http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
Broken Link
Not Applicable
URL Repurposed
http://seclists.org/oss-sec/2014/q1/69
Mailing List
Third Party Advisory
http://web.archive.org/web/20140204133306/http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
Third Party Advisory
https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1%40%3Cissues.activemq.apache.org%3E
Mailing List
https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369%40%3Cissues.activemq.apache.org%3E
Mailing List
https://www.mail-archive.com/user%40xstream.codehaus.org/msg00604.html
Third Party Advisory
https://www.mail-archive.com/user%40xstream.codehaus.org/msg00607.html
Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html
Third Party Advisory
https://x-stream.github.io/CVE-2013-7285.html
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0:*:*:*:*:*:*:*

Конфигурация 2

cpe:2.3:a:apache:activemq:5.15.8:*:*:*:*:*:*:*

Конфигурация 3

Одно из

cpe:2.3:a:xstream:xstream:*:*:*:*:*:*:*:*

Версия до 1.4.6 (включая)

cpe:2.3:a:xstream:xstream:1.4.10:*:*:*:*:*:*:*

EPSS

Процентиль: 94%

0.15054

Средний

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-78

Связанные уязвимости

CVE-2013-7285

CVSS3: 9.8

ubuntu

больше 6 лет назад

CVE-2013-7285

redhat

около 12 лет назад

CVE-2013-7285

CVSS3: 9.8

debian

больше 6 лет назад

Xstream API versions up to 1.4.6 and version 1.4.10, if the security f ...

GHSA-f554-x222-wgf7

CVSS3: 9.8

github

больше 6 лет назад

Command Injection in Xstream

EPSS

Процентиль: 94%

0.15054

Средний

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-78