CVE-2013-7285 — CRITICAL (9.8)

Q: How severe is CVE-2013-7285?

CVE-2013-7285 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2013-7285?

Check the references section above for vendor advisories and patch information. Affected products include: Oracle Endeca Information Discovery Studio, Apache Activemq, Xstream Xstream.

Vulnerability Description

Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Oracle	Endeca Information Discovery Studio	3.2.0
Apache	Activemq	5.15.8
Xstream	Xstream	<= 1.4.6

Related Weaknesses (CWE)

CWE-78

References

http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.htmlBroken LinkNot ApplicableURL Repurposed
http://seclists.org/oss-sec/2014/q1/69Mailing ListThird Party Advisory
http://web.archive.org/web/20140204133306/http://blog.diniscruz.com/2013/12/xstrThird Party Advisory
https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458Mailing List
https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9Mailing List
https://www.mail-archive.com/user%40xstream.codehaus.org/msg00604.htmlThird Party Advisory
https://www.mail-archive.com/user%40xstream.codehaus.org/msg00607.htmlThird Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.htmlThird Party Advisory
https://x-stream.github.io/CVE-2013-7285.htmlExploitThird Party Advisory
http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.htmlBroken LinkNot ApplicableURL Repurposed
http://seclists.org/oss-sec/2014/q1/69Mailing ListThird Party Advisory
http://web.archive.org/web/20140204133306/http://blog.diniscruz.com/2013/12/xstrThird Party Advisory
https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458Mailing List
https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9Mailing List
https://www.mail-archive.com/user%40xstream.codehaus.org/msg00604.htmlThird Party Advisory

FAQ

What is CVE-2013-7285?

CVE-2013-7285 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input...

How severe is CVE-2013-7285?

CVE-2013-7285 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2013-7285?

Check the references section above for vendor advisories and patch information. Affected products include: Oracle Endeca Information Discovery Studio, Apache Activemq, Xstream Xstream.