CVE-2013-7285

Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.
References
Link Resource
http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html Not Applicable URL Repurposed
http://seclists.org/oss-sec/2014/q1/69 Mailing List Third Party Advisory
http://web.archive.org/web/20140204133306/http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1%40%3Cissues.activemq.apache.org%3E
https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369%40%3Cissues.activemq.apache.org%3E
https://www.mail-archive.com/user%40xstream.codehaus.org/msg00604.html
https://www.mail-archive.com/user%40xstream.codehaus.org/msg00607.html
https://www.oracle.com/security-alerts/cpuoct2020.html Third Party Advisory
https://x-stream.github.io/CVE-2013-7285.html Exploit Third Party Advisory
http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html Not Applicable URL Repurposed
http://seclists.org/oss-sec/2014/q1/69 Mailing List Third Party Advisory
http://web.archive.org/web/20140204133306/http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1%40%3Cissues.activemq.apache.org%3E
https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369%40%3Cissues.activemq.apache.org%3E
https://www.mail-archive.com/user%40xstream.codehaus.org/msg00604.html
https://www.mail-archive.com/user%40xstream.codehaus.org/msg00607.html
https://www.oracle.com/security-alerts/cpuoct2020.html Third Party Advisory
https://x-stream.github.io/CVE-2013-7285.html Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:*
cpe:2.3:a:xstream_project:xstream:1.4.10:*:*:*:*:*:*:*

History

21 Nov 2024, 02:00

Type Values Removed Values Added
References () http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html - Not Applicable, URL Repurposed () http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html - Not Applicable, URL Repurposed
References () http://seclists.org/oss-sec/2014/q1/69 - Mailing List, Third Party Advisory () http://seclists.org/oss-sec/2014/q1/69 - Mailing List, Third Party Advisory
References () http://web.archive.org/web/20140204133306/http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html - () http://web.archive.org/web/20140204133306/http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html -
References () https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1%40%3Cissues.activemq.apache.org%3E - () https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1%40%3Cissues.activemq.apache.org%3E -
References () https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369%40%3Cissues.activemq.apache.org%3E - () https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369%40%3Cissues.activemq.apache.org%3E -
References () https://www.mail-archive.com/user%40xstream.codehaus.org/msg00604.html - () https://www.mail-archive.com/user%40xstream.codehaus.org/msg00604.html -
References () https://www.mail-archive.com/user%40xstream.codehaus.org/msg00607.html - () https://www.mail-archive.com/user%40xstream.codehaus.org/msg00607.html -
References () https://www.oracle.com/security-alerts/cpuoct2020.html - Third Party Advisory () https://www.oracle.com/security-alerts/cpuoct2020.html - Third Party Advisory
References () https://x-stream.github.io/CVE-2013-7285.html - Exploit, Third Party Advisory () https://x-stream.github.io/CVE-2013-7285.html - Exploit, Third Party Advisory

07 Nov 2023, 02:18

Type Values Removed Values Added
References
  • {'url': 'https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369@%3Cissues.activemq.apache.org%3E', 'name': '[activemq-issues] 20190718 [jira] [Updated] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework) and xstream-1.4.10.jar', 'tags': ['Third Party Advisory'], 'refsource': 'MLIST'}
  • {'url': 'https://www.mail-archive.com/user@xstream.codehaus.org/msg00604.html', 'name': '[xstream-user] 20130717 Re: Is it possible to unregister the DynamicProxyConverter using the SpringOXM wrapper', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'MLIST'}
  • {'url': 'https://www.mail-archive.com/user@xstream.codehaus.org/msg00607.html', 'name': '[xstream-user] 20130718 Re: Is it possible to unregister the DynamicProxyConverter using the SpringOXM wrapper', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'MLIST'}
  • {'url': 'https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1@%3Cissues.activemq.apache.org%3E', 'name': '[activemq-issues] 20190826 [jira] [Created] (AMQ-7288) Security Vulnerabilities in ActiveMQ dependent libraries.', 'tags': ['Third Party Advisory'], 'refsource': 'MLIST'}
  • () https://www.mail-archive.com/user%40xstream.codehaus.org/msg00607.html -
  • () https://www.mail-archive.com/user%40xstream.codehaus.org/msg00604.html -
  • () https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369%40%3Cissues.activemq.apache.org%3E -
  • () https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1%40%3Cissues.activemq.apache.org%3E -

Information

Published : 2019-05-15 17:29

Updated : 2024-11-21 02:00


NVD link : CVE-2013-7285

Mitre link : CVE-2013-7285

CVE.ORG link : CVE-2013-7285


JSON object : View

Products Affected

xstream_project

  • xstream
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')