It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)
References
Link | Resource |
---|---|
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10173 | Issue Tracking Third Party Advisory |
http://x-stream.github.io/changes.html#1.4.11 | Release Notes Third Party Advisory |
https://access.redhat.com/errata/RHSA-2019:3892 | Third Party Advisory |
https://access.redhat.com/errata/RHSA-2019:4352 | Third Party Advisory |
https://access.redhat.com/errata/RHSA-2020:0445 | Third Party Advisory |
https://access.redhat.com/errata/RHSA-2020:0727 | Third Party Advisory |
https://www.oracle.com/security-alerts/cpuapr2020.html | Third Party Advisory |
https://www.oracle.com/security-alerts/cpuoct2020.html | Third Party Advisory |
https://www.oracle.com/security-alerts/cpujan2021.html | Third Party Advisory |
https://www.oracle.com/security-alerts/cpuApr2021.html | Patch Third Party Advisory |
https://www.oracle.com//security-alerts/cpujul2021.html | Patch Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Information
Published : 2019-07-23 06:15
Updated : 2022-10-05 13:38
NVD link : CVE-2019-10173
Mitre link : CVE-2019-10173
JSON object : View
CWE
CWE-94
Improper Control of Generation of Code ('Code Injection')
Products Affected
oracle
- webcenter_portal
- communications_unified_inventory_management
- banking_platform
- business_activity_monitoring
- utilities_framework
- communications_billing_and_revenue_management_elastic_charging_engine
- retail_xstore_point_of_service
- endeca_information_discovery_studio
- communications_diameter_signaling_router
xstream_project
- xstream