CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
99.1%
It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)
Vendor | Product | Version | CPE |
---|---|---|---|
xstream_project | xstream | 1.4.10 | cpe:2.3:a:xstream_project:xstream:1.4.10:*:*:*:*:*:*:* |
oracle | banking_platform | * | cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:* |
oracle | banking_platform | 2.4.0 | cpe:2.3:a:oracle:banking_platform:2.4.0:*:*:*:*:*:*:* |
oracle | banking_platform | 2.7.1 | cpe:2.3:a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:* |
oracle | banking_platform | 2.9.0 | cpe:2.3:a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:* |
oracle | business_activity_monitoring | 11.1.1.9.0 | cpe:2.3:a:oracle:business_activity_monitoring:11.1.1.9.0:*:*:*:*:*:*:* |
oracle | business_activity_monitoring | 12.2.1.3.0 | cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.3.0:*:*:*:*:*:*:* |
oracle | business_activity_monitoring | 12.2.1.4.0 | cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:*:*:*:*:*:*:* |
oracle | communications_billing_and_revenue_management_elastic_charging_engine | 11.3.0.9.0 | cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:11.3.0.9.0:*:*:*:*:*:*:* |
oracle | communications_billing_and_revenue_management_elastic_charging_engine | 12.0.0.3.0 | cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:12.0.0.3.0:*:*:*:*:*:*:* |
x-stream.github.io/changes.html#1.4.11
access.redhat.com/errata/RHSA-2019:3892
access.redhat.com/errata/RHSA-2019:4352
access.redhat.com/errata/RHSA-2020:0445
access.redhat.com/errata/RHSA-2020:0727
bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10173
www.oracle.com//security-alerts/cpujul2021.html
www.oracle.com/security-alerts/cpuapr2020.html
www.oracle.com/security-alerts/cpuApr2021.html
www.oracle.com/security-alerts/cpujan2021.html
www.oracle.com/security-alerts/cpuoct2020.html
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
99.1%