You are here

CVE-2013-4221

Vincent (CVE) Danen's picture
The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources using the Java XMLDecoder, which allows remote attackers to execute arbitrary Java code via crafted XML.

Details Source

Mitre

Public Date

2013-08-07 00:00:00

Impact

Important

Bugzilla

CVE-2013-4221 Restlet: remote code execution due to insecure XML deserialization

Bugzilla ID

995 275

CVSS Status

verified

Base Score

6.80

Base Metrics

AV:N/AC:M/Au:N/C:P/I:P/A:P

External References

http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
http://restlet.org/learn/2.1/changes

Red Hat Security Errata

Platform Errata Release Date
Fuse ESB Enterprise 7.1.0 RHSA-2013:1862 2013-12-19
Fuse Management Console 7.1.0 RHSA-2013:1862 2013-12-19
Red Hat JBoss A-MQ 6.0 RHSA-2013:1410 2013-10-07
Red Hat JBoss Fuse 6.0 RHSA-2013:1410 2013-10-07
Fuse MQ Enterprise 7.1.0 RHSA-2013:1862 2013-12-19