What is CVE-2013-7285?

CVE-2013-7285 is a vulnerability in N/a. Published 2019-05-15.

Is CVE-2013-7285 known to be exploited?

20 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in N/a

CVE-2013-7285

Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any su…

EPSS: 0.844 (99.7th percentile) — read the EPSS interpretation.

Affected products

N/a — versions n/a

Public proof-of-concept exploits

References

[oss-security] 20140109 Re: CVE request: remote code execution via deserialization in XStream (mailing-list, x_refsource_MLIST)
[xstream-user] 20130717 Re: Is it possible to unregister the DynamicProxyConverter using the SpringOXM wrapper (mailing-list, x_refsource_MLIST)
[xstream-user] 20130718 Re: Is it possible to unregister the DynamicProxyConverter using the SpringOXM wrapper (mailing-list, x_refsource_MLIST)
[activemq-issues] 20190718 [jira] [Updated] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework) and xstream-1.4.10.jar (mailing-list, x_refsource_MLIST)
[activemq-issues] 20190826 [jira] [Created] (AMQ-7288) Security Vulnerabilities in ActiveMQ dependent libraries. (mailing-list, x_refsource_MLIST)
blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html (x_refsource_MISC)
x-stream.github.io/CVE-2013-7285.html (x_refsource_CONFIRM)
www.oracle.com/security-alerts/cpuoct2020.html (x_refsource_MISC)
web.archive.org/web/20140204133306/http://blog.diniscruz.com/2013/12/xstream-re… (x_refsource_MISC)

Frequently asked questions

What is CVE-2013-7285?: CVE-2013-7285 is a vulnerability in N/a. Published 2019-05-15.
Is CVE-2013-7285 known to be exploited?: 20 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.