Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2013-7285

CWE-78 — OS Command Injection CWE-94 — Code Injection CWE-77 — Command Injection CWE-502 — Deserialization of Untrusted Data15 documents10 sources

Severity

9.8CRITICAL

EPSS

14.8%

top 5.49%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Xstream Xstream Apache Activemq Oracle Endeca Information Discovery Studio

Timeline

PublishedMay 15

Latest updateJul 26

Description

Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages6 packages

▶Mavencom.thoughtworks.xstream:xstream1.4.10 — 1.4.11+1

▶Debianlibxstream-java< 1.4.7-1+3

▶NVDxstream/xstream1.4.6+1

▶CVEListV5xstream/xstreamfixed in 1.4.11

▶NVDoracle/endeca_information_discovery_studio3.2.0

🔴Vulnerability Details

GHSA

Deserialization of Untrusted Data and Code Injection in xstream↗2019-07-26

▶

GHSA

Command Injection in Xstream↗2019-05-29

▶

OSV

Command Injection in Xstream↗2019-05-29

▶

CVEList

CVE-2013-7285: Xstream API versions up to 1↗2019-05-15

▶

OSV

CVE-2013-7285: Xstream API versions up to 1↗2019-05-15

▶

💥Exploits & PoCs

Exploit-DB

OpenMRS Reporting Module 0.9.7 - Remote Code Execution↗2016-01-07

▶

Nuclei

XStream <1.4.6/1.4.10 - Remote Code Execution

▶

📋Vendor Advisories

Red Hat

xstream: remote code execution due to insecure XML deserialization (regression of CVE-2013-7285)↗2018-10-23

▶

Jenkins

Jenkins Security Advisory 2014-02-14↗2014-02-14

▶

Red Hat

XStream: remote code execution due to insecure XML deserialization↗2013-12-22

▶

Debian

CVE-2013-7285: libxstream-java - Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework h...↗2013

▶

💬Community

Bugzilla

CVE-2019-10173 xstream: remote code execution due to insecure XML deserialization (regression of CVE-2013-7285)↗2019-06-21

▶

Bugzilla

CVE-2013-7285 XStream: remote code execution due to insecure XML deserialization [fedora-all]↗2014-02-11

▶

Bugzilla

CVE-2013-7285 XStream: remote code execution due to insecure XML deserialization↗2014-01-10

▶