← Back

CVE-2019-10173

nvd nist
Published: Jul 23, 2019Modified: May 14, 2025

JSON object

Loading...
9.8
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 3.9 / Impact: 5.9
Source: NVD

Description

It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)

Affected (24)

Xstream
1 product
Xstream
Oracle
9 products
Banking Platform
Business Activity Monitoring
Communications Billing And Revenue Management Elastic Charging Engine
Communications Diameter Signaling Router
Communications Unified Inventory Management
Endeca Information Discovery Studio
Retail Xstore Point Of Service
Utilities Framework
Webcenter Portal
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Xstream
Version 1.4.10
Configuration B
23 vulnerable
Vulnerable SoftwareAffected Versions
Oracle
Banking Platform
From 2.4.0 to 2.10.0
Banking Platform
Version 2.4.0
Banking Platform
Version 2.7.1
Banking Platform
Version 2.9.0
Oracle
Business Activity Monitoring
Version 11.1.1.9.0
Business Activity Monitoring
Version 12.2.1.3.0
Business Activity Monitoring
Version 12.2.1.4.0
Oracle
Communications Billing And Revenue Management Elastic Charging Engine
Version 11.3.0.9.0
Communications Billing And Revenue Management Elastic Charging Engine
Version 12.0.0.3.0
Communications Diameter Signaling Router
From 8.0.0 to 8.2.2
Oracle
Communications Unified Inventory Management
Version 7.3.0
Communications Unified Inventory Management
Version 7.4.0
Oracle
Endeca Information Discovery Studio
Version 3.2.0.0
Endeca Information Discovery Studio
Version 3.2.0
Retail Xstore Point Of Service
Version 17.0
Oracle
Utilities Framework
From 4.3.0.1.0 to 4.3.0.6.0
Utilities Framework
Version 2.2.0.0.0
Utilities Framework
Version 4.2.0.2.0
Utilities Framework
Version 4.2.0.3.0
Utilities Framework
Version 4.4.0.0.0
Oracle
Webcenter Portal
Version 11.1.1.9.0
Webcenter Portal
Version 12.2.1.3.0
Webcenter Portal
Version 12.2.1.4.0

Related CWEs

CWE-502
Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
CWE-94
Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (22)

Source: secalert@redhat.com
Release NotesThird Party Advisory
Source: secalert@redhat.com
Third Party Advisory
Source: secalert@redhat.com
Third Party Advisory
Source: secalert@redhat.com
Third Party Advisory
Source: secalert@redhat.com
Third Party Advisory
Source: secalert@redhat.com
Issue TrackingThird Party Advisory
Source: secalert@redhat.com
PatchThird Party Advisory
Source: secalert@redhat.com
PatchThird Party Advisory
Source: secalert@redhat.com
Third Party Advisory
Source: secalert@redhat.com
Third Party Advisory
Source: secalert@redhat.com
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Release NotesThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Issue TrackingThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory

Timeline

No history available yet.