CVE-2013-7285: Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell…

critical9.8CVSS 3.1

AVNACLPRNUINSUCHIHAH

EXPLOIT

Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.

Affected

30 ranges· showing 25

Vendor	Product	Version range	Fixed in
apache	activemq	—	—
debian	libxstream-java	< libxstream-java 1.4.7-1 (bookworm)	libxstream-java 1.4.7-1 (bookworm)
debian	libxstream-java	< libxstream-java 1.4.11-1 (bookworm)	libxstream-java 1.4.11-1 (bookworm)
jenkins	jenkins_core	—	—
oracle	banking_platform	—	—
oracle	banking_platform	—	—
oracle	banking_platform	—	—
oracle	banking_platform	2.4.0 – 2.10.0	—
oracle	business_activity_monitoring	—	—
oracle	business_activity_monitoring	—	—
oracle	business_activity_monitoring	—	—
oracle	communications_billing_and_revenue_management_elastic_charging_engine	—	—
oracle	communications_billing_and_revenue_management_elastic_charging_engine	—	—
oracle	communications_diameter_signaling_router	8.0.0 – 8.2.2	—
oracle	communications_unified_inventory_management	—	—
oracle	communications_unified_inventory_management	—	—
oracle	endeca_information_discovery_studio	—	—
oracle	endeca_information_discovery_studio	—	—
oracle	retail_xstore_point_of_service	—	—
oracle	utilities_framework	—	—
oracle	utilities_framework	—	—
oracle	utilities_framework	—	—
oracle	utilities_framework	—	—
oracle	utilities_framework	4.3.0.1.0 – 4.3.0.6.0	—
oracle	webcenter_portal	—	—

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

ghsa9.8CRITICAL

osv9.8CRITICAL