7.5
CVSSv2

CVE-2013-7285

Published: 15/05/2019 Updated: 18/07/2019
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 757
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote malicious user to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.

Vulnerability Trend

Affected Products

Vendor Product Versions
Xstream ProjectXstream1.4.6, 1.4.10

Vendor Advisories

Debian Bug report logs - #734821 libxstream-java: CVE-2013-7285: remote code execution via deserialization in XStream Package: libxstream-java; Maintainer for libxstream-java is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Source for libxstream-java is src:libxstream-java (PTS, buildd, popcon) Repo ...
Impact: Important Public Date: 2013-12-22 CWE: CWE-94 Bugzilla: 1051277: CVE-2013-7285 XStream: remote ...
Synopsis Important: Red Hat Process Automation Manager 740 Security Update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat Process Automation ManagerRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scor ...
Synopsis Important: Red Hat Decision Manager 740 Security Update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat Decision ManagerRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) ba ...
IBM has announced a release for IBM Security Identity Governance and Intelligence (IGI) in response to multiple security vulnerabilities There are multiple vulnerabilities fixes to open source libraries distributed with IGI, other less secure algorithms for crypto, xss attacks and click jacking attacks ...

Exploits

Title: Unauthenticated remote code execution in OpenMRS Product: OpenMRS Vendor: OpenMRS Inc Tested versions: See summary Status: Fixed by vendor Reported by: Brian D Hysell Product description: OpenMRS is "the world's leading open source enterprise electronic medical record system platform" Vulnerability summary: The OpenMRS Reporting Modul ...

Mailing Lists

OpenMRS Reporting module version 097 suffers from a remote code execution vulnerability ...

Github Repositories

Overview This repository contains the junit tests to demonstrate how XStream v149 respond to the security issues x-streamgithubio/CVE-2013-7285html and x-streamgithubio/CVE-2017-7957html Summary on behaviour through v147 to v14111 A way to deal with CVE_2013_7285 is provided through v147 But issue again is showed up while fixing CVE-2017-7957 in v

Overview This repository contains the junit tests to demonstrate how XStream v149 respond to the security issues x-streamgithubio/CVE-2013-7285html and x-streamgithubio/CVE-2017-7957html Summary on behaviour through v147 to v14111 A way to deal with CVE_2013_7285 is provided through v147 But issue again is showed up while fixing CVE-2017-7957 in v

cve-poc

Overview This repository contains the junit tests to demonstrate how XStream v1411 respond to the security issues x-streamgithubio/CVE-2013-7285html and x-streamgithubio/CVE-2017-7957html Summary on behaviour through v147 to v14111 A way to deal with CVE_2013_7285 is provided through v147 But issue again is showed up while fixing CVE-2017-7957 in

Overview This repository contains the junit tests to demonstrate how XStream v1411 respond to the security issues x-streamgithubio/CVE-2013-7285html and x-streamgithubio/CVE-2017-7957html Summary on behaviour through v147 to v14111 A way to deal with CVE_2013_7285 is provided through v147 But issue again is showed up while fixing CVE-2017-7957 in

Maven Security Versions Identify vulnerable libraries in Maven dependencies The plugin is based on versions-maven-plugin It use the victims database has source for CVEs and Maven artifact mapping Usage > mvn comredhatvictimsmaven:security-versions:check [INFO] Scanning for projects [INFO] [INFO] -----------------------------------------------------------------

Maven Security Versions Identify vulnerable libraries in Maven dependencies The plugin is based on versions-maven-plugin It use the victims database has source for CVEs and Maven artifact mapping Usage > mvn comredhatvictimsmaven:security-versions:check [INFO] Scanning for projects [INFO] [INFO] -----------------------------------------------------------------