{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2013-07-17T00:00:00", "descriptions": [{"lang": "en", "value": "Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-04-25T12:46:54", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "[oss-security] 20140109 Re: CVE request: remote code execution via deserialization in XStream", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://seclists.org/oss-sec/2014/q1/69"}, {"name": "[xstream-user] 20130717 Re: Is it possible to unregister the DynamicProxyConverter using the SpringOXM wrapper", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://www.mail-archive.com/user%40xstream.codehaus.org/msg00604.html"}, {"name": "[xstream-user] 20130718 Re: Is it possible to unregister the DynamicProxyConverter using the SpringOXM wrapper", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://www.mail-archive.com/user%40xstream.codehaus.org/msg00607.html"}, {"name": "[activemq-issues] 20190718 [jira] [Updated] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework) and xstream-1.4.10.jar", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369%40%3Cissues.activemq.apache.org%3E"}, {"name": "[activemq-issues] 20190826 [jira] [Created] (AMQ-7288) Security Vulnerabilities in ActiveMQ dependent libraries.", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1%40%3Cissues.activemq.apache.org%3E"}, {"tags": ["x_refsource_MISC"], "url": "http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://x-stream.github.io/CVE-2013-7285.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"}, {"tags": ["x_refsource_MISC"], "url": "http://web.archive.org/web/20140204133306/http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2013-7285", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "[oss-security] 20140109 Re: CVE request: remote code execution via deserialization in XStream", "refsource": "MLIST", "url": "http://seclists.org/oss-sec/2014/q1/69"}, {"name": "[xstream-user] 20130717 Re: Is it possible to unregister the DynamicProxyConverter using the SpringOXM wrapper", "refsource": "MLIST", "url": "https://www.mail-archive.com/user@xstream.codehaus.org/msg00604.html"}, {"name": "[xstream-user] 20130718 Re: Is it possible to unregister the DynamicProxyConverter using the SpringOXM wrapper", "refsource": "MLIST", "url": "https://www.mail-archive.com/user@xstream.codehaus.org/msg00607.html"}, {"name": "[activemq-issues] 20190718 [jira] [Updated] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework) and xstream-1.4.10.jar", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369@%3Cissues.activemq.apache.org%3E"}, {"name": "[activemq-issues] 20190826 [jira] [Created] (AMQ-7288) Security Vulnerabilities in ActiveMQ dependent libraries.", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1@%3Cissues.activemq.apache.org%3E"}, {"name": "http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html", "refsource": "MISC", "url": "http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html"}, {"name": "https://x-stream.github.io/CVE-2013-7285.html", "refsource": "CONFIRM", "url": "https://x-stream.github.io/CVE-2013-7285.html"}, {"name": "https://www.oracle.com/security-alerts/cpuoct2020.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"}, {"name": "http://web.archive.org/web/20140204133306/http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html", "refsource": "MISC", "url": "http://web.archive.org/web/20140204133306/http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T18:01:20.408Z"}, "title": "CVE Program Container", "references": [{"name": "[oss-security] 20140109 Re: CVE request: remote code execution via deserialization in XStream", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://seclists.org/oss-sec/2014/q1/69"}, {"name": "[xstream-user] 20130717 Re: Is it possible to unregister the DynamicProxyConverter using the SpringOXM wrapper", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://www.mail-archive.com/user%40xstream.codehaus.org/msg00604.html"}, {"name": "[xstream-user] 20130718 Re: Is it possible to unregister the DynamicProxyConverter using the SpringOXM wrapper", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://www.mail-archive.com/user%40xstream.codehaus.org/msg00607.html"}, {"name": "[activemq-issues] 20190718 [jira] [Updated] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework) and xstream-1.4.10.jar", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369%40%3Cissues.activemq.apache.org%3E"}, {"name": "[activemq-issues] 20190826 [jira] [Created] (AMQ-7288) Security Vulnerabilities in ActiveMQ dependent libraries.", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1%40%3Cissues.activemq.apache.org%3E"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://x-stream.github.io/CVE-2013-7285.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://web.archive.org/web/20140204133306/http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2013-7285", "datePublished": "2019-05-15T16:54:57", "dateReserved": "2014-01-09T00:00:00", "dateUpdated": "2024-08-06T18:01:20.408Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:x-stream:xstream:1.4.10:*:*:*:*:*:*:*", "matchCriteriaId": "FCA4A48D-89A9-4020-90A5-6CB53F8D7529", "vulnerable": true}, {"criteria": "cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:*", "matchCriteriaId": "6778C7B9-EA5D-44AA-8E26-FC292493D887", "versionEndIncluding": "1.4.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON."}, {"lang": "es", "value": "Xstream API versiones hasta la 1.4.6 y versi\u00f3n 1.4.10, Si la security framework no ha sido inicializada, estas vulnerabilidades podr\u00edan permitir que un atacante remoto ejecute comandos arbitrarios de shell mediante la manipulaci\u00f3n de la secuencia de entrada procesada al desclasificar un XML o cualquier formato compatible. p.ej. JSON."}], "id": "CVE-2013-7285", "lastModified": "2025-04-01T13:07:22.907", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-05-15T17:29:00.297", "references": [{"source": "cve@mitre.org", "tags": ["Not Applicable", "URL Repurposed"], "url": "http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/oss-sec/2014/q1/69"}, {"source": "cve@mitre.org", "url": "http://web.archive.org/web/20140204133306/http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html"}, {"source": "cve@mitre.org", "url": "https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1%40%3Cissues.activemq.apache.org%3E"}, {"source": "cve@mitre.org", "url": "https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369%40%3Cissues.activemq.apache.org%3E"}, {"source": "cve@mitre.org", "url": "https://www.mail-archive.com/user%40xstream.codehaus.org/msg00604.html"}, {"source": "cve@mitre.org", "url": "https://www.mail-archive.com/user%40xstream.codehaus.org/msg00607.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://x-stream.github.io/CVE-2013-7285.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Not Applicable", "URL Repurposed"], "url": "http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/oss-sec/2014/q1/69"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://web.archive.org/web/20140204133306/http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1%40%3Cissues.activemq.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369%40%3Cissues.activemq.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.mail-archive.com/user%40xstream.codehaus.org/msg00604.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.mail-archive.com/user%40xstream.codehaus.org/msg00607.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://x-stream.github.io/CVE-2013-7285.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2014:0452", "cpe": "cpe:/a:redhat:fuse_esb_enterprise:7.1.0", "product_name": "Fuse ESB Enterprise 7.1.0", "release_date": "2014-04-30T00:00:00Z"}, {"advisory": "RHSA-2014:0452", "cpe": "cpe:/a:redhat:fuse_management_console:7.1.0", "product_name": "Fuse Management Console 7.1.0", "release_date": "2014-04-30T00:00:00Z"}, {"advisory": "RHSA-2014:0452", "cpe": "cpe:/a:redhat:fuse_mq_enterprise:7.1.0", "product_name": "Fuse MQ Enterprise 7.1.0", "release_date": "2014-04-30T00:00:00Z"}, {"advisory": "RHSA-2014:1007", "cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:5.3", "package": "xstream", "product_name": "JBoss Enterprise BRMS Platform 5.3", "release_date": "2014-08-05T00:00:00Z"}, {"advisory": "RHSA-2014:0323", "cpe": "cpe:/a:redhat:jboss_amq:6.0.0", "product_name": "Red Hat JBoss A-MQ 6.0", "release_date": "2014-03-24T00:00:00Z"}, {"advisory": "RHSA-2014:0371", "cpe": "cpe:/a:redhat:jboss_bpms:6.0", "package": "xstream", "product_name": "Red Hat JBoss BPMS 6.0", "release_date": "2014-04-03T00:00:00Z"}, {"advisory": "RHSA-2014:0372", "cpe": "cpe:/a:redhat:jboss_brms:6.0", "package": "xstream", "product_name": "Red Hat JBoss BRMS 6.0", "release_date": "2014-04-03T00:00:00Z"}, {"advisory": "RHSA-2014:0374", "cpe": "cpe:/a:redhat:jboss_data_grid:6.2.1", "package": "xstream", "product_name": "Red Hat JBoss Data Grid 6.2", "release_date": "2014-04-03T00:00:00Z"}, {"advisory": "RHSA-2014:0294", "cpe": "cpe:/a:redhat:jboss_data_virtualization:6.0", "package": "xstream", "product_name": "Red Hat JBoss Data Virtualization 6.0", "release_date": "2014-03-13T00:00:00Z"}, {"advisory": "RHSA-2014:0323", "cpe": "cpe:/a:redhat:jboss_fuse:6.0.0", "product_name": "Red Hat JBoss Fuse 6.0", "release_date": "2014-03-24T00:00:00Z"}, {"advisory": "RHSA-2014:0216", "cpe": "cpe:/a:redhat:jboss_fuse_service_works:6.0", "package": "xstream", "product_name": "Red Hat JBoss Fuse Service Works 6.0", "release_date": "2014-02-26T00:00:00Z"}, {"advisory": "RHSA-2014:1059", "cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:5.2.2", "package": "xstream", "product_name": "Red Hat JBoss Portal 5.2", "release_date": "2014-08-14T00:00:00Z"}, {"advisory": "RHSA-2015:1009", "cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:6.2", "package": "xstream", "product_name": "Red Hat JBoss Portal 6.2", "release_date": "2015-05-14T00:00:00Z"}, {"advisory": "RHSA-2015:1888", "cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:5.3", "package": "xstream", "product_name": "Red Hat JBoss SOA Platform 5.3", "release_date": "2015-10-12T00:00:00Z"}, {"advisory": "RHSA-2014:0389", "cpe": "cpe:/a:redhat:rhev_manager:3", "package": "jasperreports-server-pro-0:5.5.0-6.el6ev", "product_name": "RHEV Manager version 3.3", "release_date": "2014-04-09T00:00:00Z"}], "bugzilla": {"description": "XStream: remote code execution due to insecure XML deserialization", "id": "1051277", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1051277"}, "csaw": false, "cvss": {"cvss_base_score": "6.8", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "verified"}, "cwe": "CWE-94", "details": ["Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.", "It was found that XStream could deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream application."], "name": "CVE-2013-7285", "package_state": [{"cpe": "cpe:/a:redhat:openshift:1", "fix_state": "Will not fix", "package_name": "xstream", "product_name": "OpenShift Enterprise 1"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "xstream", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Affected", "package_name": "amq-6.0", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Affected", "package_name": "fuse-6.0", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Affected", "package_name": "fuse-esb-7.1", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Affected", "package_name": "fuse-mq-7.1", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:4.3", "fix_state": "Will not fix", "package_name": "xstream", "product_name": "Red Hat JBoss SOA Platform 4.3"}, {"cpe": "cpe:/a:redhat:openshift:2", "fix_state": "Affected", "package_name": "xstream", "product_name": "Red Hat OpenShift Enterprise 2"}], "public_date": "2013-12-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2013-7285\nhttps://nvd.nist.gov/vuln/detail/CVE-2013-7285\nhttp://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html\nhttp://xstream.codehaus.org/security.html\nhttps://securityblog.redhat.com/2014/01/23/java-deserialization-flaws-part-2-xml-deserialization/"], "threat_severity": "Important"}