CVE-2013-7285
Publication date 15 May 2019
Last updated 24 July 2024
Ubuntu priority
Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| libxstream-java | ||
| 18.04 LTS bionic |
Fixed 1.4.7-1
|
|
| 16.04 LTS xenial |
Fixed 1.4.7-1
|
|
| 14.04 LTS trusty |
Fixed 1.4.7-1
|
|
Notes
mdeslaur
starting with 1.4.7, it is now possible to define permissions for types. This requires applications to use permissions.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
9.8 · Critical
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
Other references
- http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
- http://markmail.org/message/kfqoqdfj5fnup5co?q=list:org.codehaus.xstream.dev&page=3
- http://xstream.codehaus.org/security.html
- https://fisheye.codehaus.org/changelog/xstream?cs=2210
- https://www.cve.org/CVERecord?id=CVE-2013-7285