The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources using the Java XMLDecoder, which allows remote attackers to execute arbitrary Java code via crafted XML.
References
Link | Resource |
---|---|
http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html | Third Party Advisory |
http://restlet.org/learn/2.1/changes | Release Notes Vendor Advisory |
http://rhn.redhat.com/errata/RHSA-2013-1410.html | Third Party Advisory |
http://rhn.redhat.com/errata/RHSA-2013-1862.html | Third Party Advisory |
https://bugzilla.redhat.com/show_bug.cgi?id=995275 | Issue Tracking Third Party Advisory |
https://github.com/restlet/restlet-framework-java/issues/774 | Issue Tracking Patch |
http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html | Third Party Advisory |
http://restlet.org/learn/2.1/changes | Release Notes Vendor Advisory |
http://rhn.redhat.com/errata/RHSA-2013-1410.html | Third Party Advisory |
http://rhn.redhat.com/errata/RHSA-2013-1862.html | Third Party Advisory |
https://bugzilla.redhat.com/show_bug.cgi?id=995275 | Issue Tracking Third Party Advisory |
https://github.com/restlet/restlet-framework-java/issues/774 | Issue Tracking Patch |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 01:55
Type | Values Removed | Values Added |
---|---|---|
References | () http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html - Third Party Advisory | |
References | () http://restlet.org/learn/2.1/changes - Release Notes, Vendor Advisory | |
References | () http://rhn.redhat.com/errata/RHSA-2013-1410.html - Third Party Advisory | |
References | () http://rhn.redhat.com/errata/RHSA-2013-1862.html - Third Party Advisory | |
References | () https://bugzilla.redhat.com/show_bug.cgi?id=995275 - Issue Tracking, Third Party Advisory | |
References | () https://github.com/restlet/restlet-framework-java/issues/774 - Issue Tracking, Patch |
Information
Published : 2013-10-10 00:55
Updated : 2024-11-21 01:55
NVD link : CVE-2013-4221
Mitre link : CVE-2013-4221
CVE.ORG link : CVE-2013-4221
JSON object : View
Products Affected
restlet
- restlet