CVE-2013-7285

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Xstream API versions up to 1.4.6 Xstream API version 1.4.10

Description The issue allows a remote attacker to execute arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format, such as JSON, if the security framework has not been initialized.

Recommendations For Xstream API versions up to 1.4.6, initialize the security framework to prevent exploitation. For Xstream API version 1.4.10, initialize the security framework to prevent exploitation. As a temporary workaround, consider restricting the input formats to minimize the risk of exploitation.

Exploit

Fix

OS Command Injection

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78CWE-77

Related Identifiers

CVE-2013-7285

GHSA-F554-X222-WGF7

MGASA-2014-0100

RHSA-2014:0389

Affected Products

Xstream Api

CVE-2013-7285

Weakness Enumeration

Related Identifiers

Affected Products

References · 35