QwikSec

Security Database

CVE

CWE

Training

CVE-2013-7285

Published: May 15, 2019

Modified: Aug 6, 2024

PUBLISHED

Description

Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

[oss-security] 20140109 Re: CVE request: remote code execution via deserialization in XStream

mailing-list

x_refsource_MLIST

[xstream-user] 20130717 Re: Is it possible to unregister the DynamicProxyConverter using the SpringOXM wrapper

mailing-list

x_refsource_MLIST

[xstream-user] 20130718 Re: Is it possible to unregister the DynamicProxyConverter using the SpringOXM wrapper

mailing-list

x_refsource_MLIST

[activemq-issues] 20190718 [jira] [Updated] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework) and xstream-1.4.10.jar

mailing-list

x_refsource_MLIST

[activemq-issues] 20190826 [jira] [Created] (AMQ-7288) Security Vulnerabilities in ActiveMQ dependent libraries.

mailing-list

x_refsource_MLIST

http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html

x_refsource_MISC

https://x-stream.github.io/CVE-2013-7285.html

x_refsource_CONFIRM

https://www.oracle.com/security-alerts/cpuoct2020.html

x_refsource_MISC

http://web.archive.org/web/20140204133306/http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.