CVE-2013-4221

The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources using the Java XMLDecoder, which allows remote attackers to execute arbitrary Java code via crafted XML.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:restlet:restlet:*:*:*:*:*:*:*:*
cpe:2.3:a:restlet:restlet:2.1:milestone1:*:*:*:*:*:*
cpe:2.3:a:restlet:restlet:2.1:milestone2:*:*:*:*:*:*
cpe:2.3:a:restlet:restlet:2.1:milestone3:*:*:*:*:*:*
cpe:2.3:a:restlet:restlet:2.1:milestone4:*:*:*:*:*:*
cpe:2.3:a:restlet:restlet:2.1:milestone5:*:*:*:*:*:*
cpe:2.3:a:restlet:restlet:2.1:milestone6:*:*:*:*:*:*
cpe:2.3:a:restlet:restlet:2.1:rc1:*:*:*:*:*:*
cpe:2.3:a:restlet:restlet:2.1:rc2:*:*:*:*:*:*
cpe:2.3:a:restlet:restlet:2.1:rc3:*:*:*:*:*:*
cpe:2.3:a:restlet:restlet:2.1:rc4:*:*:*:*:*:*
cpe:2.3:a:restlet:restlet:2.1:rc5:*:*:*:*:*:*
cpe:2.3:a:restlet:restlet:2.1:rc6:*:*:*:*:*:*
cpe:2.3:a:restlet:restlet:2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:restlet:restlet:2.1.1:*:*:*:*:*:*:*
cpe:2.3:a:restlet:restlet:2.1.2:*:*:*:*:*:*:*

History

21 Nov 2024, 01:55

Type Values Removed Values Added
References () http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html - Third Party Advisory () http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html - Third Party Advisory
References () http://restlet.org/learn/2.1/changes - Release Notes, Vendor Advisory () http://restlet.org/learn/2.1/changes - Release Notes, Vendor Advisory
References () http://rhn.redhat.com/errata/RHSA-2013-1410.html - Third Party Advisory () http://rhn.redhat.com/errata/RHSA-2013-1410.html - Third Party Advisory
References () http://rhn.redhat.com/errata/RHSA-2013-1862.html - Third Party Advisory () http://rhn.redhat.com/errata/RHSA-2013-1862.html - Third Party Advisory
References () https://bugzilla.redhat.com/show_bug.cgi?id=995275 - Issue Tracking, Third Party Advisory () https://bugzilla.redhat.com/show_bug.cgi?id=995275 - Issue Tracking, Third Party Advisory
References () https://github.com/restlet/restlet-framework-java/issues/774 - Patch, Issue Tracking () https://github.com/restlet/restlet-framework-java/issues/774 - Issue Tracking, Patch

Information

Published : 2013-10-10 00:55

Updated : 2024-11-21 01:55


NVD link : CVE-2013-4221

Mitre link : CVE-2013-4221

CVE.ORG link : CVE-2013-4221


JSON object : View

Products Affected

restlet

  • restlet
CWE
CWE-16

Configuration

CWE-91

XML Injection (aka Blind XPath Injection)