Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2019-10173

Опубликовано: 23 окт. 2018
Источник: redhat
CVSS3: 7.3

Описание

It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)

It was found that xstream API version 1.4.10 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. This a regression of CVE-2013-7285 fixed in 1.4.7 (fixed) as of BPMS 6.0.1, the regression was introduced with xstream-1.4.10 implemented in RHPAM.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Fuse 7xstreamAffected
Red Hat Data Grid 7.3.3xstreamFixedRHSA-2020:072705.03.2020
Red Hat Fuse 6.3xstreamFixedRHSA-2019:435219.12.2019
Red Hat Fuse 7.5.0FixedRHSA-2019:389214.11.2019
Red Hat JBoss BPMS 7.4xstreamFixedRHSA-2019:182322.07.2019
Red Hat JBoss BRMS 7.4xstreamFixedRHSA-2019:182222.07.2019
Red Hat Single Sign-On 7.3rh-sso7-keycloakFixedRHSA-2020:044506.02.2020

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-94
https://bugzilla.redhat.com/show_bug.cgi?id=1722971xstream: remote code execution due to insecure XML deserialization (regression of CVE-2013-7285)

7.3 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2019-10173

CVSS3: 9.8
ubuntu
больше 6 лет назад

It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)

nvd логотип

CVE-2019-10173

CVSS3: 9.8
nvd
больше 6 лет назад

It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)

debian логотип

CVE-2019-10173

CVSS3: 9.8
debian
больше 6 лет назад

It was found that xstream API version 1.4.10 before 1.4.11 introduced ...

github логотип

GHSA-hf23-9pf7-388p

CVSS3: 9.8
github
больше 6 лет назад

Deserialization of Untrusted Data and Code Injection in xstream

fstec логотип

BDU:2019-02936

CVSS3: 9.8
fstec
больше 6 лет назад

Уязвимость Java-библиотеки для преобразования объектов в XML или JSON формат XStream, связанная с восстановлением в памяти недостоверных данных, позволяющая нарушителю выполнить произвольные команды

7.3 High

CVSS3