It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
History
21 Nov 2024, 04:18
Type | Values Removed | Values Added |
---|---|---|
References | () http://x-stream.github.io/changes.html#1.4.11 - Release Notes, Third Party Advisory | |
References | () https://access.redhat.com/errata/RHSA-2019:3892 - Third Party Advisory | |
References | () https://access.redhat.com/errata/RHSA-2019:4352 - Third Party Advisory | |
References | () https://access.redhat.com/errata/RHSA-2020:0445 - Third Party Advisory | |
References | () https://access.redhat.com/errata/RHSA-2020:0727 - Third Party Advisory | |
References | () https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10173 - Issue Tracking, Third Party Advisory | |
References | () https://www.oracle.com//security-alerts/cpujul2021.html - Patch, Third Party Advisory | |
References | () https://www.oracle.com/security-alerts/cpuApr2021.html - Patch, Third Party Advisory | |
References | () https://www.oracle.com/security-alerts/cpuapr2020.html - Third Party Advisory | |
References | () https://www.oracle.com/security-alerts/cpujan2021.html - Third Party Advisory | |
References | () https://www.oracle.com/security-alerts/cpuoct2020.html - Third Party Advisory |
Information
Published : 2019-07-23 13:15
Updated : 2024-11-21 04:18
NVD link : CVE-2019-10173
Mitre link : CVE-2019-10173
CVE.ORG link : CVE-2019-10173
JSON object : View
Products Affected
xstream_project
- xstream
oracle
- business_activity_monitoring
- communications_billing_and_revenue_management_elastic_charging_engine
- endeca_information_discovery_studio
- communications_diameter_signaling_router
- utilities_framework
- webcenter_portal
- banking_platform
- retail_xstore_point_of_service
- communications_unified_inventory_management