CVE-2013-7285 — Command Injection in Xstream

Description

Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.

How to fix CVE-2013-7285

To remediate CVE-2013-7285, upgrade the affected package to a fixed version below.

Debian/libxstream-java—upgrade to 1.4.7-1 or later
—upgrade to 1.4.7 or later

Is CVE-2013-7285 being exploited?

Moderate — EPSS is 18.8%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

from 0, < 1.4.7-1
from 0, < 1.4.7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (12)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-7285
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2013-7285
WEBblog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
WEBseclists.org/oss-sec/2014/q1/69