7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.017 Low
EPSS
Percentile
87.8%
The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources using the Java XMLDecoder, which allows remote attackers to execute arbitrary Java code via crafted XML.
CPE | Name | Operator | Version |
---|---|---|---|
org.restlet.jse:org.restlet | lt | 2.1.4 |
blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
restlet.org/learn/2.1/changes
rhn.redhat.com/errata/RHSA-2013-1410.html
rhn.redhat.com/errata/RHSA-2013-1862.html
bugzilla.redhat.com/show_bug.cgi?id=995275
github.com/advisories/GHSA-92j2-5r7p-6hjw
github.com/restlet/restlet-framework-java/commit/b85c2ef182c69c5e2e21df008ccb249ccf80c7b
github.com/restlet/restlet-framework-java/issues/774
nvd.nist.gov/vuln/detail/CVE-2013-4221