CVE-2013-7285

Опубликовано: 22 дек. 2013

Источник: redhat

CVSS2: 6.8

EPSS Средний

Описание

Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.

It was found that XStream could deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream application.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
OpenShift Enterprise 1	xstream	Will not fix
Red Hat Enterprise Linux 7	xstream	Not affected
Red Hat JBoss Enterprise Web Server 1	amq-6.0	Affected
Red Hat JBoss Enterprise Web Server 1	fuse-6.0	Affected
Red Hat JBoss Enterprise Web Server 1	fuse-esb-7.1	Affected
Red Hat JBoss Enterprise Web Server 1	fuse-mq-7.1	Affected
Red Hat JBoss SOA Platform 4.3	xstream	Will not fix
Red Hat OpenShift Enterprise 2	xstream	Affected
Fuse ESB Enterprise 7.1.0		Fixed	RHSA-2014:0452	30.04.2014
Fuse Management Console 7.1.0		Fixed	RHSA-2014:0452	30.04.2014

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important

Дефект:

CWE-94

https://bugzilla.redhat.com/show_bug.cgi?id=1051277XStream: remote code execution due to insecure XML deserialization

EPSS

Процентиль: 94%

0.15054

Средний

6.8 Medium

CVSS2

Связанные уязвимости

CVE-2013-7285

CVSS3: 9.8

ubuntu

больше 6 лет назад

CVE-2013-7285

CVSS3: 9.8

nvd

больше 6 лет назад

CVE-2013-7285

CVSS3: 9.8

debian

больше 6 лет назад

Xstream API versions up to 1.4.6 and version 1.4.10, if the security f ...

GHSA-f554-x222-wgf7

CVSS3: 9.8

github

больше 6 лет назад

Command Injection in Xstream

EPSS

Процентиль: 94%

0.15054

Средний

6.8 Medium

CVSS2