Описание
It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)
| Релиз | Статус | Примечание |
|---|---|---|
| bionic | not-affected | 1.4.11.1-1~18.04 |
| devel | not-affected | |
| disco | not-affected | |
| eoan | not-affected | |
| esm-apps/bionic | not-affected | 1.4.11.1-1~18.04 |
| esm-apps/focal | not-affected | |
| esm-apps/xenial | not-affected | code not present |
| esm-infra-legacy/trusty | not-affected | code not present |
| focal | not-affected | |
| groovy | not-affected |
Показывать по
EPSS
7.5 High
CVSS2
9.8 Critical
CVSS3
Связанные уязвимости
It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)
It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)
It was found that xstream API version 1.4.10 before 1.4.11 introduced ...
Deserialization of Untrusted Data and Code Injection in xstream
Уязвимость Java-библиотеки для преобразования объектов в XML или JSON формат XStream, связанная с восстановлением в памяти недостоверных данных, позволяющая нарушителю выполнить произвольные команды
EPSS
7.5 High
CVSS2
9.8 Critical
CVSS3