9.8
CVE-2019-10173
- EPSS 91.87%
- Published 23.07.2019 13:15:13
- Last modified 14.05.2025 20:02:54
- Source secalert@redhat.com
- Teams watchlist Login
- Open Login
It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)
Data is provided by the National Vulnerability Database (NVD)
Oracle ≫ Banking Platform Version >= 2.4.0 <= 2.10.0
Oracle ≫ Banking Platform Version2.4.0
Oracle ≫ Banking Platform Version2.7.1
Oracle ≫ Banking Platform Version2.9.0
Oracle ≫ Business Activity Monitoring Version11.1.1.9.0
Oracle ≫ Business Activity Monitoring Version12.2.1.3.0
Oracle ≫ Business Activity Monitoring Version12.2.1.4.0
Oracle ≫ Communications Billing And Revenue Management Elastic Charging Engine Version11.3.0.9.0
Oracle ≫ Communications Billing And Revenue Management Elastic Charging Engine Version12.0.0.3.0
Oracle ≫ Communications Diameter Signaling Router Version >= 8.0.0 <= 8.2.2
Oracle ≫ Communications Unified Inventory Management Version7.3.0
Oracle ≫ Communications Unified Inventory Management Version7.4.0
Oracle ≫ Endeca Information Discovery Studio Version3.2.0
Oracle ≫ Endeca Information Discovery Studio Version3.2.0.0
Oracle ≫ Retail Xstore Point Of Service Version17.0
Oracle ≫ Utilities Framework Version >= 4.3.0.1.0 <= 4.3.0.6.0
Oracle ≫ Utilities Framework Version2.2.0.0.0
Oracle ≫ Utilities Framework Version4.2.0.2.0
Oracle ≫ Utilities Framework Version4.2.0.3.0
Oracle ≫ Utilities Framework Version4.4.0.0.0
Oracle ≫ Webcenter Portal Version11.1.1.9.0
Oracle ≫ Webcenter Portal Version12.2.1.3.0
Oracle ≫ Webcenter Portal Version12.2.1.4.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 91.87% | 0.997 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 7.5 | 10 | 6.4 |
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
| secalert@redhat.com | 7.3 | 3.9 | 3.4 |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
|
CWE-502 Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
CWE-94 Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.