CVE-2013-7285

Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:*
cpe:2.3:a:xstream_project:xstream:1.4.10:*:*:*:*:*:*:*

History

07 Nov 2023, 02:18

Type Values Removed Values Added
References
  • {'url': 'https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369@%3Cissues.activemq.apache.org%3E', 'name': '[activemq-issues] 20190718 [jira] [Updated] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework) and xstream-1.4.10.jar', 'tags': ['Third Party Advisory'], 'refsource': 'MLIST'}
  • {'url': 'https://www.mail-archive.com/user@xstream.codehaus.org/msg00604.html', 'name': '[xstream-user] 20130717 Re: Is it possible to unregister the DynamicProxyConverter using the SpringOXM wrapper', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'MLIST'}
  • {'url': 'https://www.mail-archive.com/user@xstream.codehaus.org/msg00607.html', 'name': '[xstream-user] 20130718 Re: Is it possible to unregister the DynamicProxyConverter using the SpringOXM wrapper', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'MLIST'}
  • {'url': 'https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1@%3Cissues.activemq.apache.org%3E', 'name': '[activemq-issues] 20190826 [jira] [Created] (AMQ-7288) Security Vulnerabilities in ActiveMQ dependent libraries.', 'tags': ['Third Party Advisory'], 'refsource': 'MLIST'}
  • () https://www.mail-archive.com/user%40xstream.codehaus.org/msg00607.html -
  • () https://www.mail-archive.com/user%40xstream.codehaus.org/msg00604.html -
  • () https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369%40%3Cissues.activemq.apache.org%3E -
  • () https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1%40%3Cissues.activemq.apache.org%3E -

Information

Published : 2019-05-15 17:29

Updated : 2024-02-28 17:08


NVD link : CVE-2013-7285

Mitre link : CVE-2013-7285

CVE.ORG link : CVE-2013-7285


JSON object : View

Products Affected

xstream_project

  • xstream
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')