It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)
References
Link | Resource |
---|---|
http://x-stream.github.io/changes.html#1.4.11 | Release Notes Third Party Advisory |
https://access.redhat.com/errata/RHSA-2019:3892 | Third Party Advisory |
https://access.redhat.com/errata/RHSA-2019:4352 | Third Party Advisory |
https://access.redhat.com/errata/RHSA-2020:0445 | Third Party Advisory |
https://access.redhat.com/errata/RHSA-2020:0727 | Third Party Advisory |
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10173 | Issue Tracking Third Party Advisory |
https://www.oracle.com//security-alerts/cpujul2021.html | Patch Third Party Advisory |
https://www.oracle.com/security-alerts/cpuApr2021.html | Patch Third Party Advisory |
https://www.oracle.com/security-alerts/cpuapr2020.html | Third Party Advisory |
https://www.oracle.com/security-alerts/cpujan2021.html | Third Party Advisory |
https://www.oracle.com/security-alerts/cpuoct2020.html | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
History
05 Oct 2022, 20:38
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
References | (MISC) https://www.oracle.com/security-alerts/cpuApr2021.html - Patch, Third Party Advisory | |
CPE | cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:banking_platform:2.4.0:*:*:*:*:*:*:* |
20 Jul 2021, 23:15
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-94 |
14 Jun 2021, 18:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
16 Mar 2021, 15:25
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_activity_monitoring:11.1.1.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:11.3.0.9.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_framework:4.2.0.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:12.0.0.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_framework:2.2.0.0.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_framework:4.2.0.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:utilities_framework:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:webcenter_portal:11.1.1.9.0:*:*:*:*:*:*:* |
|
References | (MISC) https://www.oracle.com/security-alerts/cpuoct2020.html - Third Party Advisory | |
References | (REDHAT) https://access.redhat.com/errata/RHSA-2020:0727 - Third Party Advisory | |
References | (N/A) https://www.oracle.com/security-alerts/cpuapr2020.html - Third Party Advisory | |
References | (REDHAT) https://access.redhat.com/errata/RHSA-2019:4352 - Third Party Advisory | |
References | (MISC) https://www.oracle.com/security-alerts/cpujan2021.html - Third Party Advisory | |
References | (REDHAT) https://access.redhat.com/errata/RHSA-2019:3892 - Third Party Advisory | |
References | (REDHAT) https://access.redhat.com/errata/RHSA-2020:0445 - Third Party Advisory |
20 Jan 2021, 15:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
Information
Published : 2019-07-23 13:15
Updated : 2023-12-10 12:59
NVD link : CVE-2019-10173
Mitre link : CVE-2019-10173
CVE.ORG link : CVE-2019-10173
JSON object : View
Products Affected
oracle
- communications_billing_and_revenue_management_elastic_charging_engine
- retail_xstore_point_of_service
- communications_diameter_signaling_router
- banking_platform
- utilities_framework
- communications_unified_inventory_management
- endeca_information_discovery_studio
- webcenter_portal
- business_activity_monitoring
xstream_project
- xstream