#VU22876 Input validation error in xstream - CVE-2013-7285
Published: November 20, 2019 / Updated: April 7, 2020
Vulnerability identifier: #VU22876
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
CVE-ID: CVE-2013-7285
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
xstream
xstream
Software vendor:
XStream
XStream
Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insufficient validation of user-supplied input passed in XML and JSON formats to the Xstream API. A remote attacker can send specially crafted request to the affected application and execute arbitrary code on the target system.
Remediation
Install updates from vendor's website.
External links
- http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
- http://seclists.org/oss-sec/2014/q1/69
- https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369@%3Cissues.activemq.apache.org%3E
- https://www.mail-archive.com/user@xstream.codehaus.org/msg00604.html
- https://www.mail-archive.com/user@xstream.codehaus.org/msg00607.html
- https://x-stream.github.io/CVE-2013-7285.html