First published: Sun Dec 22 2013(Updated: )
It was found that XStream could deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream application.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/jasperreports-server-pro | <0:5.5.0-6.el6e | 0:5.5.0-6.el6e |
IBM Data Risk Manager | <=2.0.6 | |
Xstream Project Xstream | <=1.4.6 | |
Xstream Project Xstream | =1.4.10 | |
maven/com.thoughtworks.xstream:xstream | =1.4.10 | 1.4.11 |
maven/com.thoughtworks.xstream:xstream | <1.4.7 | 1.4.7 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2013-7285 is a vulnerability in the Xstream API versions up to 1.4.6 and version 1.4.10 if the security framework has not been initialized.
CVE-2013-7285 has a severity level of high.
CVE-2013-7285 allows a remote attacker to deserialize arbitrary user-supplied XML content, potentially leading to remote code execution.
To fix CVE-2013-7285, update XStream API to version 1.4.7 or later, or version 1.4.11 if the security framework has not been initialized.
More information about CVE-2013-7285 can be found at the following references: [1] [2] [3].