oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE request: remote code execution due to XML deserialization in Restlet

From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 08 Aug 2013 11:19:10 -0600
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/08/2013 02:16 AM, David Jorm wrote:

Dinis Cruz has published information on remote code execution due
to XML deserialization in Restlet:

http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html



https://github.com/o2platform/DefCon_RESTing


I have tested his reproducer and confirmed it works against Restlet
2.0 and 2.2. Please assign a CVE ID to this flaw.

Thanks



Please use CVE-2013-4221 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJSA9MNAAoJEBYNRVNeJnmTdqgQALVLWb4/ukLeYl9TKslFtQxF
O/qkGcoSM0ElNNO2WaJlOzCfoFDz2pHtyEloNBkB+09LDswViSciXJBuvJ+B/Mj+
OxlRtnQkWkFLjurY9O9f/auHzNtyQgO5xrGh+rho0y98laxFTi/GoOIUAY55Z7KO
JX8LUyEIi2KbnPdnT1RKmk61Jk9TnCuyQBwhRESsTDN/wbU+05eEzEkgZ5/rqu5p
Y507eXvxzGBhD5D6N3jDGe8GqAIgl3c4ylmQQlxkBnGbetgL26Gqwa4MyLdz7RKA
XdihLUohBjxcNjgpTQ3NzwiO0ZxAl2gXG4kicDJz9LNFafXEbeC7+NJUC2DaXqAn
xicdDh3PHdOPvaDmqNxn9kK9zp2zN6xBVzEwIUPWFuWn9k89DvNL2EoM5c5nOwhL
nxZiqujMZs1ye4WuuX2PghPDvd2q6fWVdkeOs5XdHEsQ0E3pX4F2+Aj3mljALDcC
o2sHCmFG2pxxeMu0fmX3f72F8xDwDTgY0eVj81Ws06yQMsKTzKaItMPWgKmDPcSQ
pckr8MiZFm24WLYS2aNbj54mJlmdzqy8+KX3/Q7e3z76OELmQPHCRpmpE/VEtJzs
h73PVrcLG+THNDNp7cmTDvieD7xPJTVNdKv5k/xkiUQkSQlpIHF0YijUFehjHErk
ktYGdFsocD6uc63CC/js
=PvGf
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: