7.3 High
AI Score
Confidence
Low
0.017 Low
EPSS
Percentile
87.8%
The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources using the Java XMLDecoder, which allows remote attackers to execute arbitrary Java code via crafted XML.
blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
restlet.org/learn/2.1/changes
rhn.redhat.com/errata/RHSA-2013-1410.html
rhn.redhat.com/errata/RHSA-2013-1862.html
bugzilla.redhat.com/show_bug.cgi?id=995275
github.com/restlet/restlet-framework-java/issues/774