NA

CVE-2013-7285

Vulnerability Summary

RHSA-2014:0389: jasperreports-server-pro security update

An updated jasperreports-server-pro package that fixes one security issue is now available. The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Red Hat Enterprise Virtualization reports package provides a suite of pre-configured reports and dashboards that enable you to monitor the system. The reports module is based on JasperReports and JasperServer, and can also be used to create ad-hoc reports. XStream is a simple library used by the Red Hat Enterprise Virtualization reports package to serialize and de-serialize objects to and from XML. It was found that XStream could deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream application. (CVE-2013-7285) All jasperreports-server-pro users are advised to upgrade to this updated package, which contains a backported patch to correct this issue.

In some places, Jenkins XML API uses XStream to deserialize arbitrary content, which is affected by reported against XStream. This allows malicious users of Jenkins with a limited set of permissions to execute arbitrary code inside Jenkins master.

Vendor Advisories

It was found that XStream could deserialize arbitrary user-supplied XML content, representing objects of any type A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream application ...
IBM has announced a release for IBM Security Identity Governance and Intelligence (IGI) in response to multiple security vulnerabilities There are multiple vulnerabilities fixes to open source libraries distributed with IGI, other less secure algorithms for crypto, xss attacks and click jacking attacks ...

Exploits

Title: Unauthenticated remote code execution in OpenMRS Product: OpenMRS Vendor: OpenMRS Inc Tested versions: See summary Status: Fixed by vendor Reported by: Brian D Hysell Product description: OpenMRS is "the world's leading open source enterprise electronic medical record system platform" Vulnerability summary: The OpenMRS Reporting Modul ...

Mailing Lists

OpenMRS Reporting module version 097 suffers from a remote code execution vulnerability ...

Github Repositories

Overview This repository contains the junit tests to demonstrate how XStream v149 respond to the security issues x-streamgithubio/CVE-2013-7285html and x-streamgithubio/CVE-2017-7957html Summary on behaviour through v147 to v14111 A way to deal with CVE_2013_7285 is provided through v147 But issue again is showed up while fixing CVE-2017-7957 in v

Overview This repository contains the junit tests to demonstrate how XStream v149 respond to the security issues x-streamgithubio/CVE-2013-7285html and x-streamgithubio/CVE-2017-7957html Summary on behaviour through v147 to v14111 A way to deal with CVE_2013_7285 is provided through v147 But issue again is showed up while fixing CVE-2017-7957 in v

Overview This repository contains the junit tests to demonstrate how XStream v1411 respond to the security issues x-streamgithubio/CVE-2013-7285html and x-streamgithubio/CVE-2017-7957html Summary on behaviour through v147 to v14111 A way to deal with CVE_2013_7285 is provided through v147 But issue again is showed up while fixing CVE-2017-7957 in

Overview This repository contains the junit tests to demonstrate how XStream v1411 respond to the security issues x-streamgithubio/CVE-2013-7285html and x-streamgithubio/CVE-2017-7957html Summary on behaviour through v147 to v14111 A way to deal with CVE_2013_7285 is provided through v147 But issue again is showed up while fixing CVE-2017-7957 in

Maven Security Versions Identify vulnerable libraries in Maven dependencies The plugin is based on versions-maven-plugin It use the victims database has source for CVEs and Maven artifact mapping Usage > mvn comredhatvictimsmaven:security-versions:check [INFO] Scanning for projects [INFO] [INFO] -----------------------------------------------------------------

Maven Security Versions Identify vulnerable libraries in Maven dependencies The plugin is based on versions-maven-plugin It use the victims database has source for CVEs and Maven artifact mapping Usage > mvn comredhatvictimsmaven:security-versions:check [INFO] Scanning for projects [INFO] [INFO] -----------------------------------------------------------------

References