Vulnerability Details : CVE-2013-7285
Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.
Products affected by CVE-2013-7285
- cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:*
- cpe:2.3:a:xstream_project:xstream:1.4.10:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2013-7285
43.03%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 97 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2013-7285
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2013-7285
-
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-7285
-
https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369@%3Cissues.activemq.apache.org%3E
Pony Mail!Third Party Advisory
-
https://x-stream.github.io/CVE-2013-7285.html
XStream - CVE-2013-7285Exploit;Third Party Advisory
-
https://www.oracle.com/security-alerts/cpuoct2020.html
Oracle Critical Patch Update Advisory - October 2020Third Party Advisory
-
http://seclists.org/oss-sec/2014/q1/69
oss-sec: Re: CVE request: remote code execution via deserialization in XStreamMailing List;Third Party Advisory
-
http://web.archive.org/web/20140204133306/http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
-
https://www.mail-archive.com/user@xstream.codehaus.org/msg00604.html
Re: [xstream-user] Re: Is it possible to unregister the DynamicProxyConverter using the SpringOXM wrapperMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1@%3Cissues.activemq.apache.org%3E
Pony Mail!Third Party Advisory
-
http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
Dinis Cruz Blog: XStream "Remote Code Execution" exploit on code from "Standard way to serialize and deserialize Objects with XStream" articleNot Applicable;URL Repurposed
-
https://www.mail-archive.com/user@xstream.codehaus.org/msg00607.html
[xstream-user] Re: Re: Re: Is it possible to unregister the DynamicProxyConverter using the SpringOXM wrapperMailing List;Third Party Advisory
Jump to