Vulmon Recent Vulnerabilities Discussions Trends Blog About Contact
7.5
CVSSv2

CVE-2013-7285

Published: 15/05/2019 Updated: 18/07/2019
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 757
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote malicious user to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.

Vulnerability Trend

Affected Products

Vendor Product Versions
Xstream ProjectXstream1.4.6, 1.4.10

Vendor Advisories

Debian CVElist Bug Report Logs: libxstream-java: CVE-2013-7285: remote code execution via deserialization in XStream
Debian Bug report logs - #734821 libxstream-java: CVE-2013-7285: remote code execution via deserialization in XStream Package: libxstream-java; Maintainer for libxstream-java is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Source for libxstream-java is src:libxstream-java (PTS, buildd, popcon) Repo ...
Red Hat: CVE-2013-7285
Impact: Important Public Date: 2013-12-22 CWE: CWE-94 Bugzilla: 1051277: CVE-2013-7285 XStream: remote ...
Red Hat: Important: Red Hat Process Automation Manager 7.4.0 Security Update
Synopsis Important: Red Hat Process Automation Manager 740 Security Update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat Process Automation ManagerRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scor ...
Red Hat: Important: Red Hat Decision Manager 7.4.0 Security Update
Synopsis Important: Red Hat Decision Manager 740 Security Update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat Decision ManagerRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) ba ...
IBM: IBM Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to multiple security vulnerabilities
IBM has announced a release for IBM Security Identity Governance and Intelligence (IGI) in response to multiple security vulnerabilities There are multiple vulnerabilities fixes to open source libraries distributed with IGI, other less secure algorithms for crypto, xss attacks and click jacking attacks ...

Exploits

Exploit DB: OpenMRS Reporting Module 0.9.7 - Remote Code Execution
Title: Unauthenticated remote code execution in OpenMRS Product: OpenMRS Vendor: OpenMRS Inc Tested versions: See summary Status: Fixed by vendor Reported by: Brian D Hysell Product description: OpenMRS is "the world's leading open source enterprise electronic medical record system platform" Vulnerability summary: The OpenMRS Reporting Modul ...

Mailing Lists

Packetstorm: OpenMRS Reporting Module 0.9.7 Remote Code Execution
OpenMRS Reporting module version 097 suffers from a remote code execution vulnerability ...

Github Repositories

xstream_v1_4_9_security_issues

Overview This repository contains the junit tests to demonstrate how XStream v149 respond to the security issues x-streamgithubio/CVE-2013-7285html and x-streamgithubio/CVE-2017-7957html Summary on behaviour through v147 to v14111 A way to deal with CVE_2013_7285 is provided through v147 But issue again is showed up while fixing CVE-2017-7957 in v

xstream_v1_4_9_security_issues

Overview This repository contains the junit tests to demonstrate how XStream v149 respond to the security issues x-streamgithubio/CVE-2013-7285html and x-streamgithubio/CVE-2017-7957html Summary on behaviour through v147 to v14111 A way to deal with CVE_2013_7285 is provided through v147 But issue again is showed up while fixing CVE-2017-7957 in v

cve-poc

cve-poc

xstream_v1_4_11_security_issues

Overview This repository contains the junit tests to demonstrate how XStream v1411 respond to the security issues x-streamgithubio/CVE-2013-7285html and x-streamgithubio/CVE-2017-7957html Summary on behaviour through v147 to v14111 A way to deal with CVE_2013_7285 is provided through v147 But issue again is showed up while fixing CVE-2017-7957 in

xstream_v1_4_11_security_issues

Overview This repository contains the junit tests to demonstrate how XStream v1411 respond to the security issues x-streamgithubio/CVE-2013-7285html and x-streamgithubio/CVE-2017-7957html Summary on behaviour through v147 to v14111 A way to deal with CVE_2013_7285 is provided through v147 But issue again is showed up while fixing CVE-2017-7957 in

maven-security-versions-Travis

Maven Security Versions Identify vulnerable libraries in Maven dependencies The plugin is based on versions-maven-plugin It use the victims database has source for CVEs and Maven artifact mapping Usage > mvn comredhatvictimsmaven:security-versions:check [INFO] Scanning for projects [INFO] [INFO] -----------------------------------------------------------------

maven-security-versions

Maven Security Versions Identify vulnerable libraries in Maven dependencies The plugin is based on versions-maven-plugin It use the victims database has source for CVEs and Maven artifact mapping Usage > mvn comredhatvictimsmaven:security-versions:check [INFO] Scanning for projects [INFO] [INFO] -----------------------------------------------------------------

References

CWE-77http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.htmlhttp://seclists.org/oss-sec/2014/q1/69https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369@%3Cissues.activemq.apache.org%3Ehttps://www.mail-archive.com/user@xstream.codehaus.org/msg00604.htmlhttps://www.mail-archive.com/user@xstream.codehaus.org/msg00607.htmlhttps://x-stream.github.io/CVE-2013-7285.htmlhttps://www.rapid7.com/db/vulnerabilities/jenkins-2014-02-14_cve-2013-7285https://nvd.nist.govhttps://www.exploit-db.com/exploits/39193/
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2019-13512note pressCVE-2019-0708man-in-the-middlekunenaunprivilegedSQL injectionCVE-2019-15116datainterlockCVE-2018-20973CVE-2019-15148CVE-2019-15107