CVE-2013-7285

nvd nist nuclei

Published: May 15, 2019Modified: May 23, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.

Affected (4)

Products: Oracle: Endeca Information Discovery Studio · Apache: Activemq · Xstream: Xstream

1 product

Endeca Information Discovery Studio

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Oracle Endeca Information Discovery Studio	Version 3.2.0

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Apache Activemq	Version 5.15.8

Configuration C

2 vulnerable

Vulnerable Software	Affected Versions
Xstream Xstream	Up to 1.4.6
Xstream Xstream	Version 1.4.10

Related CWEs

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (18)

http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html

Source: cve@mitre.org

Broken LinkNot ApplicableURL Repurposed

http://seclists.org/oss-sec/2014/q1/69

Source: cve@mitre.org

Mailing ListThird Party Advisory

http://web.archive.org/web/20140204133306/http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html

Source: cve@mitre.org

Third Party Advisory

https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1%40%3Cissues.activemq.apache.org%3E

Source: cve@mitre.org

Mailing List

https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369%40%3Cissues.activemq.apache.org%3E

Source: cve@mitre.org

Mailing List

https://www.mail-archive.com/user%40xstream.codehaus.org/msg00604.html

Source: cve@mitre.org

Third Party Advisory

https://www.mail-archive.com/user%40xstream.codehaus.org/msg00607.html

Source: cve@mitre.org

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2020.html

Source: cve@mitre.org

Third Party Advisory

https://x-stream.github.io/CVE-2013-7285.html

Source: cve@mitre.org

ExploitThird Party Advisory

http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html

Source: af854a3a-2127-422b-91ae-364da2661108

Broken LinkNot ApplicableURL Repurposed

http://seclists.org/oss-sec/2014/q1/69

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

http://web.archive.org/web/20140204133306/http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1%40%3Cissues.activemq.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List

https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369%40%3Cissues.activemq.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List

https://www.mail-archive.com/user%40xstream.codehaus.org/msg00604.html

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.mail-archive.com/user%40xstream.codehaus.org/msg00607.html

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2020.html

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://x-stream.github.io/CVE-2013-7285.html

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.