CVE-2019-10173: It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been…

critical9.8CVSS 3.1

AVNACLPRNUINSUCHIHAH

It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)

Affected

25 ranges

Vendor	Product	Version range	Fixed in
debian	libxstream-java	< libxstream-java 1.4.11-1 (bookworm)	libxstream-java 1.4.11-1 (bookworm)
oracle	banking_platform	—	—
oracle	banking_platform	—	—
oracle	banking_platform	—	—
oracle	banking_platform	2.4.0 – 2.10.0	—
oracle	business_activity_monitoring	—	—
oracle	business_activity_monitoring	—	—
oracle	business_activity_monitoring	—	—
oracle	communications_billing_and_revenue_management_elastic_charging_engine	—	—
oracle	communications_billing_and_revenue_management_elastic_charging_engine	—	—
oracle	communications_diameter_signaling_router	8.0.0 – 8.2.2	—
oracle	communications_unified_inventory_management	—	—
oracle	communications_unified_inventory_management	—	—
oracle	endeca_information_discovery_studio	—	—
oracle	endeca_information_discovery_studio	—	—
oracle	retail_xstore_point_of_service	—	—
oracle	utilities_framework	—	—
oracle	utilities_framework	—	—
oracle	utilities_framework	—	—
oracle	utilities_framework	—	—
oracle	utilities_framework	4.3.0.1.0 – 4.3.0.6.0	—
oracle	webcenter_portal	—	—
oracle	webcenter_portal	—	—
oracle	webcenter_portal	—	—
xstream	xstream	—	—

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

ghsa9.8CRITICAL

osv9.8CRITICAL