7.5

CVE-2013-4221

The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources using the Java XMLDecoder, which allows remote attackers to execute arbitrary Java code via crafted XML.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
RestletRestlet Version <= 2.1.3
RestletRestlet Version2.1 Updatemilestone1
RestletRestlet Version2.1 Updatemilestone2
RestletRestlet Version2.1 Updatemilestone3
RestletRestlet Version2.1 Updatemilestone4
RestletRestlet Version2.1 Updatemilestone5
RestletRestlet Version2.1 Updatemilestone6
RestletRestlet Version2.1 Updaterc1
RestletRestlet Version2.1 Updaterc2
RestletRestlet Version2.1 Updaterc3
RestletRestlet Version2.1 Updaterc4
RestletRestlet Version2.1 Updaterc5
RestletRestlet Version2.1 Updaterc6
RestletRestlet Version2.1.0
RestletRestlet Version2.1.1
RestletRestlet Version2.1.2
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2.95% 0.854
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
CWE-91 XML Injection (aka Blind XPath Injection)

The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

http://rhn.redhat.com/errata/RHSA-2013-1862.html
Third Party Advisory
http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
Third Party Advisory
http://restlet.org/learn/2.1/changes
Vendor Advisory
Release Notes
http://rhn.redhat.com/errata/RHSA-2013-1410.html
Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=995275
Third Party Advisory
Issue Tracking
https://github.com/restlet/restlet-framework-java/issues/774
Patch
Issue Tracking