Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05MmoyLTVyN3AtNmhqd84AAcqh
Restlet is vulnerable to Arbitrary Java Code Execution via crafted XML
The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources using the Java XMLDecoder, which allows remote attackers to execute arbitrary Java code via crafted XML.
Permalink: https://github.com/advisories/GHSA-92j2-5r7p-6hjwJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05MmoyLTVyN3AtNmhqd84AAcqh
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: about 1 month ago
Identifiers: GHSA-92j2-5r7p-6hjw, CVE-2013-4221
References:
- https://nvd.nist.gov/vuln/detail/CVE-2013-4221
- https://github.com/restlet/restlet-framework-java/issues/774
- https://bugzilla.redhat.com/show_bug.cgi?id=995275
- http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
- http://restlet.org/learn/2.1/changes
- http://rhn.redhat.com/errata/RHSA-2013-1410.html
- http://rhn.redhat.com/errata/RHSA-2013-1862.html
- https://github.com/restlet/restlet-framework-java/commit/b85c2ef182c69c5e2e21df008ccb249ccf80c7b
- https://github.com/advisories/GHSA-92j2-5r7p-6hjw
Blast Radius: 1.0
Affected Packages
maven:org.restlet.jse:org.restlet
Affected Version Ranges: < 2.1.4Fixed in: 2.1.4