oss-sec mailing list archives
Re: CVE request: remote code execution due to XML deserialization in Restlet
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 08 Aug 2013 11:19:10 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/08/2013 02:16 AM, David Jorm wrote:
Dinis Cruz has published information on remote code execution due to XML deserialization in Restlet: http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
https://github.com/o2platform/DefCon_RESTing
I have tested his reproducer and confirmed it works against Restlet 2.0 and 2.2. Please assign a CVE ID to this flaw. Thanks
Please use CVE-2013-4221 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJSA9MNAAoJEBYNRVNeJnmTdqgQALVLWb4/ukLeYl9TKslFtQxF O/qkGcoSM0ElNNO2WaJlOzCfoFDz2pHtyEloNBkB+09LDswViSciXJBuvJ+B/Mj+ OxlRtnQkWkFLjurY9O9f/auHzNtyQgO5xrGh+rho0y98laxFTi/GoOIUAY55Z7KO JX8LUyEIi2KbnPdnT1RKmk61Jk9TnCuyQBwhRESsTDN/wbU+05eEzEkgZ5/rqu5p Y507eXvxzGBhD5D6N3jDGe8GqAIgl3c4ylmQQlxkBnGbetgL26Gqwa4MyLdz7RKA XdihLUohBjxcNjgpTQ3NzwiO0ZxAl2gXG4kicDJz9LNFafXEbeC7+NJUC2DaXqAn xicdDh3PHdOPvaDmqNxn9kK9zp2zN6xBVzEwIUPWFuWn9k89DvNL2EoM5c5nOwhL nxZiqujMZs1ye4WuuX2PghPDvd2q6fWVdkeOs5XdHEsQ0E3pX4F2+Aj3mljALDcC o2sHCmFG2pxxeMu0fmX3f72F8xDwDTgY0eVj81Ws06yQMsKTzKaItMPWgKmDPcSQ pckr8MiZFm24WLYS2aNbj54mJlmdzqy8+KX3/Q7e3z76OELmQPHCRpmpE/VEtJzs h73PVrcLG+THNDNp7cmTDvieD7xPJTVNdKv5k/xkiUQkSQlpIHF0YijUFehjHErk ktYGdFsocD6uc63CC/js =PvGf -----END PGP SIGNATURE-----
Current thread:
- CVE request: remote code execution due to XML deserialization in Restlet David Jorm (Aug 08)
- Re: CVE request: remote code execution due to XML deserialization in Restlet Kurt Seifried (Aug 08)