Candidate: CVE-2013-7285 PublicDate: 2019-05-15 17:29:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7285 http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html http://markmail.org/message/kfqoqdfj5fnup5co?q=list:org.codehaus.xstream.dev&page=3 http://xstream.codehaus.org/security.html https://fisheye.codehaus.org/changelog/xstream?cs=2210 Description: Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON. Ubuntu-Description: Notes: mdeslaur> starting with 1.4.7, it is now possible to define permissions mdeslaur> for types. This requires applications to use permissions. Bugs: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734821 Priority: low Discovered-by: Assigned-to: CVSS: nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL] nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL] Patches_libxstream-java: upstream_libxstream-java: released (1.4.7-1) lucid_libxstream-java: ignored (reached end-of-life) precise_libxstream-java: ignored (reached end-of-life) precise/esm_libxstream-java: DNE (precise was needed) quantal_libxstream-java: ignored (reached end-of-life) raring_libxstream-java: ignored (reached end-of-life) saucy_libxstream-java: ignored (reached end-of-life) trusty_libxstream-java: released (1.4.7-1) trusty/esm_libxstream-java: released (1.4.7-1) utopic_libxstream-java: ignored (reached end-of-life) vivid_libxstream-java: ignored (reached end-of-life) vivid/stable-phone-overlay_libxstream-java: DNE vivid/ubuntu-core_libxstream-java: DNE wily_libxstream-java: ignored (reached end-of-life) xenial_libxstream-java: released (1.4.7-1) yakkety_libxstream-java: ignored (reached end-of-life) zesty_libxstream-java: ignored (reached end-of-life) artful_libxstream-java: ignored (reached end-of-life) bionic_libxstream-java: released (1.4.7-1) cosmic_libxstream-java: released (1.4.7-1) devel_libxstream-java: released (1.4.7-1)