ID CVE-2013-4221
Summary The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources using the Java XMLDecoder, which allows remote attackers to execute arbitrary Java code via crafted XML.
References
Vulnerable Configurations
  • cpe:2.3:a:restlet:restlet:2.1:milestone1:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:2.1:milestone1:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:2.1:milestone2:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:2.1:milestone2:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:2.1:milestone3:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:2.1:milestone3:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:2.1:milestone4:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:2.1:milestone4:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:2.1:milestone5:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:2.1:milestone5:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:2.1:milestone6:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:2.1:milestone6:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:2.1:rc1:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:2.1:rc1:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:2.1:rc2:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:2.1:rc2:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:2.1:rc3:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:2.1:rc3:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:2.1:rc4:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:2.1:rc4:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:2.1:rc5:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:2.1:rc5:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:2.1:rc6:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:2.1:rc6:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:2.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:2.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:2.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:2.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:2.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:2.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:1.0.0:-:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:1.0.0:-:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:1.0.0:beta1:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:1.0.0:beta1:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:1.0.0:beta10:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:1.0.0:beta10:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:1.0.0:beta11:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:1.0.0:beta11:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:1.0.0:beta12:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:1.0.0:beta12:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:1.0.0:beta13:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:1.0.0:beta13:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:1.0.0:beta14:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:1.0.0:beta14:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:1.0.0:beta15:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:1.0.0:beta15:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:1.0.0:beta15a:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:1.0.0:beta15a:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:1.0.0:beta16:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:1.0.0:beta16:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:1.0.0:beta17:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:1.0.0:beta17:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:1.0.0:beta18:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:1.0.0:beta18:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:1.0.0:beta19:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:1.0.0:beta19:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:1.0.0:beta2:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:1.0.0:beta2:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:1.0.0:beta20:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:1.0.0:beta20:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:1.0.0:beta21:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:1.0.0:beta21:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:1.0.0:beta22:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:1.0.0:beta22:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:1.0.0:beta23:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:1.0.0:beta23:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:1.0.0:beta3:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:1.0.0:beta3:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:1.0.0:beta4:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:1.0.0:beta4:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:1.0.0:beta5:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:1.0.0:beta5:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:1.0.0:beta6:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:1.0.0:beta6:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:1.0.0:beta7:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:1.0.0:beta7:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:1.0.0:beta8:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:1.0.0:beta8:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:1.0.0:beta9:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:1.0.0:beta9:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:1.0.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:1.0.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:1.0.0:rc3:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:1.0.0:rc3:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:1.0.0:rc4:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:1.0.0:rc4:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:1.0.0:rc5:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:1.0.0:rc5:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:1.0.0:rc6:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:1.0.0:rc6:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:1.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:1.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:1.01:*:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:1.01:*:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:1.2:*:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:2.0:*:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:2.0.11:*:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:2.0.11:*:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:2.0.12:*:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:2.0.12:*:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:2.0.13:*:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:2.0.13:*:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:2.0.14:*:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:2.0.14:*:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:2.0.15:*:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:2.0.15:*:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:2.1:-:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:2.1:-:*:*:*:*:*:*
  • cpe:2.3:a:restlet:restlet:2.1.3:*:*:*:*:*:*:*
    cpe:2.3:a:restlet:restlet:2.1.3:*:*:*:*:*:*:*
CVSS
Base: 7.5 (as of 07-12-2016 - 18:13)
Impact:
Exploitability:
CWE CWE-16
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
redhat via4
advisories
  • rhsa
    id RHSA-2013:1410
  • rhsa
    id RHSA-2013:1862
refmap via4
confirm
misc http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
Last major update 07-12-2016 - 18:13
Published 10-10-2013 - 00:55
Last modified 07-12-2016 - 18:13
Back to Top