oss-sec mailing list archives
Re: CVE request: remote code execution via deserialization in XStream
From: cve-assign () mitre org
Date: Thu, 9 Jan 2014 18:46:19 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
Use CVE-2013-7285. At least initially, the scope of this CVE is "XStream is an 'reflection-based XML-to-Object conversion'" in that file, and all of the implications of unrestricted conversion, including "allows the creation of server side objects based on reflection (which means that you could have all sorts of business-logic sensitive objects being created)" -- which is mentioned separately in that file. If this does not make sense, and multiple CVEs are needed, please let us know. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJSzzPZAAoJEKllVAevmvms3cEH/3MBAH57R/LhQfI5ZMUm9FOD eZm7p9IGl3PpSMtrwqSNwXS6InpfAmc04P0xX/HM4yFSRX6yHVaTZA9vbNGRs6PV VdZg/A+WiUwdBdGhsFfXCb82QvCthdxyv6AAK5uNpVqQTqmikVPNk8gYxcHXZz3+ xUmUGLxwlCtImSZ1WiZMSCMYul3jsFsuOiVlqHF2NBoXh+55xmy8hLTOCUijILeG lAXfMo25S971OJalr5pzGUC2EPUclV5D08+jv3KCNqryNphsepa3+14OKrvvz1yX Q19c3+suDKWOUDvur9ENeHkf//Va881GNGZkcvppfvIkYCMI3vKFaWGMYRWR+jE= =Jkgd -----END PGP SIGNATURE-----
Current thread:
- CVE request: remote code execution via deserialization in XStream David Jorm (Jan 09)
- Re: CVE request: remote code execution via deserialization in XStream cve-assign (Jan 09)
- Re: CVE request: remote code execution via deserialization in XStream David Jorm (Jan 09)
- Re: CVE request: remote code execution via deserialization in XStream cve-assign (Jan 09)