Deserialization of untrusted data

2020-02-1914:15:00

PRIOn knowledge base

www.prio-n.com

8.3 High

AI Score

Confidence

Low

0.013 Low

EPSS

Percentile

85.7%

JSON

The XStream extension in HP Fortify SCA before 2.2 RC3 allows remote attackers to execute arbitrary code via unsafe deserialization of XML messages.

CPENameOperatorVersion
restletle2.1.7
restleteq2.2 rc1
restleteq2.2 rc2
restleteq2.2 m2
restleteq2.2 m3
restleteq2.2 m4
restleteq2.2 m5
restleteq2.2 m6
restleteq2.2 m1
restleteq2.2 snapshot

Name	Operator	Version
restlet	le	2.1.7
restlet	eq	2.2 rc1
restlet	eq	2.2 rc2
restlet	eq	2.2 m2
restlet	eq	2.2 m3
restlet	eq	2.2 m4
restlet	eq	2.2 m5
restlet	eq	2.2 m6
restlet	eq	2.2 m1
restlet	eq	2.2 snapshot

References

web.archive.org/web/20140425095352/h30499.www3.hp.com/t5/HP-Security-Research-Blog/Remote-code-execution-and-XML-Entity-Expansion-injection/ba-p/6403370