CVE-2019-10173

Name of the Vulnerable Software and Affected Versions XStream versions 1.4.10 through 1.4.10

Description The issue is related to a regression of a previous deserialization flaw in the XStream API. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format, such as JSON. This could be exploited by a remote attacker to execute arbitrary commands.

Recommendations For XStream version 1.4.10, update to version 1.4.11 to resolve the issue. As a temporary workaround, consider initializing the security framework before using the XStream API to minimize the risk of exploitation. Restrict access to unmarshalling XML or other supported formats until the issue is resolved.