It was found that xstream API version 1.4.10 prior to 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote malicious user to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
xstream project xstream 1.4.10 |
||
oracle banking platform 2.4.0 |
||
oracle webcenter portal 12.2.1.3.0 |
||
oracle webcenter portal 11.1.1.9.0 |
||
oracle utilities framework 4.2.0.3.0 |
||
oracle utilities framework 4.2.0.2.0 |
||
oracle utilities framework 2.2.0.0.0 |
||
oracle endeca information discovery studio 3.2.0 |
||
oracle utilities framework 4.4.0.0.0 |
||
oracle communications unified inventory management 7.4.0 |
||
oracle retail xstore point of service 17.0 |
||
oracle utilities framework |
||
oracle communications diameter signaling router |
||
oracle communications unified inventory management 7.3.0 |
||
oracle banking platform |
||
oracle communications billing and revenue management elastic charging engine 11.3.0.9.0 |
||
oracle communications billing and revenue management elastic charging engine 12.0.0.3.0 |
||
oracle business activity monitoring 12.2.1.3.0 |
||
oracle business activity monitoring 11.1.1.9.0 |
||
oracle endeca information discovery studio 3.2.0.0 |
||
oracle banking platform 2.7.1 |
||
oracle banking platform 2.9.0 |
||
oracle webcenter portal 12.2.1.4.0 |
||
oracle business activity monitoring 12.2.1.4.0 |