Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2019-10173

Опубликовано: 23 июл. 2019
Источник: nvd
CVSS3: 7.3
CVSS3: 9.8
CVSS2: 7.5
EPSS Критический

Описание

It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)

Ссылки

Уязвимые конфигурации

Конфигурация 1
cpe:2.3:a:xstream:xstream:1.4.10:*:*:*:*:*:*:*
Конфигурация 2

Одно из

cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:*
Версия от 2.4.0 (включая) до 2.10.0 (включая)
cpe:2.3:a:oracle:banking_platform:2.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:business_activity_monitoring:11.1.1.9.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:11.3.0.9.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:12.0.0.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*
Версия от 8.0.0 (включая) до 8.2.2 (включая)
cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:utilities_framework:*:*:*:*:*:*:*:*
Версия от 4.3.0.1.0 (включая) до 4.3.0.6.0 (включая)
cpe:2.3:a:oracle:utilities_framework:2.2.0.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:utilities_framework:4.2.0.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:utilities_framework:4.2.0.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_portal:11.1.1.9.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*

EPSS

Процентиль: 100%
0.92962
Критический

7.3 High

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-94
CWE-502

Связанные уязвимости

ubuntu логотип

CVE-2019-10173

CVSS3: 9.8
ubuntu
больше 6 лет назад

It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)

redhat логотип

CVE-2019-10173

CVSS3: 7.3
redhat
больше 7 лет назад

It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)

debian логотип

CVE-2019-10173

CVSS3: 9.8
debian
больше 6 лет назад

It was found that xstream API version 1.4.10 before 1.4.11 introduced ...

github логотип

GHSA-hf23-9pf7-388p

CVSS3: 9.8
github
больше 6 лет назад

Deserialization of Untrusted Data and Code Injection in xstream

fstec логотип

BDU:2019-02936

CVSS3: 9.8
fstec
больше 6 лет назад

Уязвимость Java-библиотеки для преобразования объектов в XML или JSON формат XStream, связанная с восстановлением в памяти недостоверных данных, позволяющая нарушителю выполнить произвольные команды

EPSS

Процентиль: 100%
0.92962
Критический

7.3 High

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-94
CWE-502