Vulnerability-Lookup

BDU:2019-02936

Vulnerability from fstec - Published: 21.06.2019

Title

Уязвимость Java-библиотеки для преобразования объектов в XML или JSON формат XStream, связанная с восстановлением в памяти недостоверных данных, позволяющая нарушителю выполнить произвольные команды

Description

Уязвимость Java-библиотеки для преобразования объектов в XML или JSON формат XStream связана с восстановлением в памяти недостоверных данных. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, выполнить произвольные команды путем отмены обработки объекта XML или другого поддерживаемого формата

Severity ?


                    
                      AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vendor

Oracle Corp., Xstream Project

Software Name

WebLogic Server, Fusion Middleware MapViewer, Primavera Unifier, Oracle Endeca Information Discovery Integrator, WebCenter Portal, Oracle Retail Order Broker, XStream, Oracle Data Integrator, Utilities Framework, Retail Xstore Point of Service, Oracle Communications Unified Inventory Management, Oracle Financial Services Market Risk Measurement and Management, Oracle Endeca Information Discovery Studio, Oracle Financial Services Asset Liability Management, Financial Services Profitability Management, Financial Services Funds Transfer Pricing, Communications MetaSolv Solution, Financial Services Analytical Applications Infrastructure, Oracle SD-WAN Edge, Communications Diameter Signaling Router, Communications BRM - Elastic Charging Engine, Banking Platform, Insurance Allocation Manager for Enterprise Profitability, Oracle Retail Financial Integration, Retail Integration Bus, Oracle Retail Service Backbone, Oracle Real-Time Decision Server, MySQL Enterprise Monitor, Oracle Business Activity Monitoring

Software Version

10.3.6.0 (WebLogic Server), 12.1.3.0 (WebLogic Server), 12.2.1.3.0 (Fusion Middleware MapViewer), 16.2 (Primavera Unifier), 16.1 (Primavera Unifier), 3.2.0 (Oracle Endeca Information Discovery Integrator), 11.1.1.9.0 (WebCenter Portal), 12.2.1.3.0 (WebCenter Portal), 12.2.1.3.0 (WebLogic Server), 15.0 (Oracle Retail Order Broker), 1.4.10 (XStream), 12.2.1.3.0 (Oracle Data Integrator), 4.4.0.0.0 (Utilities Framework), 4.2.0.3.0 (Utilities Framework), 4.2.0.2.0 (Utilities Framework), 18.8 (Primavera Unifier), 17.0 (Retail Xstore Point of Service), 12.2.1.4.0 (WebLogic Server), 7.3 (Oracle Communications Unified Inventory Management), 7.4 (Oracle Communications Unified Inventory Management), 19.12 (Primavera Unifier), от 17.7 до 17.12 включительно (Primavera Unifier), 8.0.6 (Oracle Financial Services Market Risk Measurement and Management), 3.2.0 (Oracle Endeca Information Discovery Studio), 12.2.1.4.0 (WebCenter Portal), 8.0.7 (Oracle Financial Services Asset Liability Management), 8.0.6 (Financial Services Profitability Management), 8.0.7 (Financial Services Profitability Management), 8.0.6 (Financial Services Funds Transfer Pricing), 8.0.7 (Financial Services Funds Transfer Pricing), 6.3.0 (Communications MetaSolv Solution), от 8.0.6 до 8.1.0 включительно (Financial Services Analytical Applications Infrastructure), 9.0 (Oracle SD-WAN Edge), от 8.0.0 до 8.2.2 включительно (Communications Diameter Signaling Router), 11.3.0.9.0 (Communications BRM - Elastic Charging Engine), 12.0.0.3.0 (Communications BRM - Elastic Charging Engine), от 2.4.0 до 2.10.0 включительно (Banking Platform), 2.2.0.0.0 (Utilities Framework), от 4.3.0.1.0 до 4.3.0.6.0 включительно (Utilities Framework), 8.1.0 (Oracle Financial Services Asset Liability Management), 8.1.0 (Financial Services Funds Transfer Pricing), 8.1.0 (Financial Services Profitability Management), 8.1.0 (Insurance Allocation Manager for Enterprise Profitability), 12.2.1.4.0 (Oracle Data Integrator), 20.12 (Primavera Unifier), 14.1.3 (Oracle Retail Financial Integration), 15.0.3 (Oracle Retail Financial Integration), 16.0.3 (Oracle Retail Financial Integration), 14.1.3 (Retail Integration Bus), 15.0.3 (Retail Integration Bus), 16.0.3 (Retail Integration Bus), 14.1.3 (Oracle Retail Service Backbone), 15.0.3 (Oracle Retail Service Backbone), 16.0.3 (Oracle Retail Service Backbone), 3.2.1.0 (Oracle Real-Time Decision Server), 11.1.1.9.0 (Oracle Data Integrator), до 8.0.22 включительно (MySQL Enterprise Monitor), 11.1.1.9.0 (Oracle Business Activity Monitoring), 12.2.1.3.0 (Oracle Business Activity Monitoring), 6.3.1 (Communications MetaSolv Solution)

Possible Mitigations

Использование рекомендаций: Для XStream: http://x-stream.github.io/changes.html#1.4.11 Для программных продуктов Oracle Corp.: https://www.oracle.com/security-alerts/cpuapr2020.html https://www.oracle.com/security-alerts/cpuoct2020.html https://www.oracle.com/security-alerts/cpujan2021.html https://www.oracle.com/security-alerts/cpujan2021.html

Reference

https://access.redhat.com/security/cve/cve-2019-10173 http://x-stream.github.io/changes.html#1.4.11 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10173 https://www.cvedetails.com/cve/CVE-2019-10173/ https://www.oracle.com/security-alerts/cpuapr2020.html https://www.oracle.com/security-alerts/cpuoct2020.html https://www.oracle.com/security-alerts/cpujan2021.html https://www.oracle.com/security-alerts/cpujan2021.html

CWE

CWE-502

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
  "CVSS 3.0": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Oracle Corp., Xstream Project",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "10.3.6.0 (WebLogic Server), 12.1.3.0 (WebLogic Server), 12.2.1.3.0 (Fusion Middleware MapViewer), 16.2 (Primavera Unifier), 16.1 (Primavera Unifier), 3.2.0 (Oracle Endeca Information Discovery Integrator), 11.1.1.9.0 (WebCenter Portal), 12.2.1.3.0 (WebCenter Portal), 12.2.1.3.0 (WebLogic Server), 15.0 (Oracle Retail Order Broker), 1.4.10 (XStream), 12.2.1.3.0 (Oracle Data Integrator), 4.4.0.0.0 (Utilities Framework), 4.2.0.3.0 (Utilities Framework), 4.2.0.2.0 (Utilities Framework), 18.8 (Primavera Unifier), 17.0 (Retail Xstore Point of Service), 12.2.1.4.0 (WebLogic Server), 7.3 (Oracle Communications Unified Inventory Management), 7.4 (Oracle Communications Unified Inventory Management), 19.12 (Primavera Unifier), \u043e\u0442 17.7 \u0434\u043e 17.12 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Primavera Unifier), 8.0.6 (Oracle Financial Services Market Risk Measurement and Management), 3.2.0 (Oracle Endeca Information Discovery Studio), 12.2.1.4.0 (WebCenter Portal), 8.0.7 (Oracle Financial Services Asset Liability Management), 8.0.6 (Financial Services Profitability Management), 8.0.7 (Financial Services Profitability Management), 8.0.6 (Financial Services Funds Transfer Pricing), 8.0.7 (Financial Services Funds Transfer Pricing), 6.3.0 (Communications MetaSolv Solution), \u043e\u0442 8.0.6 \u0434\u043e 8.1.0 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Financial Services Analytical Applications Infrastructure), 9.0 (Oracle SD-WAN Edge), \u043e\u0442 8.0.0 \u0434\u043e 8.2.2 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Communications Diameter Signaling Router), 11.3.0.9.0 (Communications BRM - Elastic Charging Engine), 12.0.0.3.0 (Communications BRM - Elastic Charging Engine), \u043e\u0442 2.4.0 \u0434\u043e 2.10.0 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Banking Platform), 2.2.0.0.0 (Utilities Framework), \u043e\u0442 4.3.0.1.0 \u0434\u043e 4.3.0.6.0 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Utilities Framework), 8.1.0 (Oracle Financial Services Asset Liability Management), 8.1.0 (Financial Services Funds Transfer Pricing), 8.1.0 (Financial Services Profitability Management), 8.1.0 (Insurance Allocation Manager for Enterprise Profitability), 12.2.1.4.0 (Oracle Data Integrator), 20.12 (Primavera Unifier), 14.1.3 (Oracle Retail Financial Integration), 15.0.3 (Oracle Retail Financial Integration), 16.0.3 (Oracle Retail Financial Integration), 14.1.3 (Retail Integration Bus), 15.0.3 (Retail Integration Bus), 16.0.3 (Retail Integration Bus), 14.1.3 (Oracle Retail Service Backbone), 15.0.3 (Oracle Retail Service Backbone), 16.0.3 (Oracle Retail Service Backbone), 3.2.1.0 (Oracle Real-Time Decision Server), 11.1.1.9.0 (Oracle Data Integrator), \u0434\u043e 8.0.22 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (MySQL Enterprise Monitor), 11.1.1.9.0 (Oracle Business Activity Monitoring), 12.2.1.3.0 (Oracle Business Activity Monitoring), 6.3.1 (Communications MetaSolv Solution)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\u0414\u043b\u044f XStream:\n\nhttp://x-stream.github.io/changes.html#1.4.11\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Oracle Corp.:\nhttps://www.oracle.com/security-alerts/cpuapr2020.html\nhttps://www.oracle.com/security-alerts/cpuoct2020.html\nhttps://www.oracle.com/security-alerts/cpujan2021.html\nhttps://www.oracle.com/security-alerts/cpujan2021.html",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "21.06.2019",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "23.03.2021",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "20.08.2019",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2019-02936",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2019-10173",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0430\u0440\u0445\u0438\u0442\u0435\u043a\u0442\u0443\u0440\u044b",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "WebLogic Server, Fusion Middleware MapViewer, Primavera Unifier, Oracle Endeca Information Discovery Integrator, WebCenter Portal, Oracle Retail Order Broker, XStream, Oracle Data Integrator, Utilities Framework, Retail Xstore Point of Service, Oracle Communications Unified Inventory Management, Oracle Financial Services Market Risk Measurement and Management, Oracle Endeca Information Discovery Studio, Oracle Financial Services Asset Liability Management, Financial Services Profitability Management, Financial Services Funds Transfer Pricing, Communications MetaSolv Solution, Financial Services Analytical Applications Infrastructure, Oracle SD-WAN Edge, Communications Diameter Signaling Router, Communications BRM - Elastic Charging Engine, Banking Platform, Insurance Allocation Manager for Enterprise Profitability, Oracle Retail Financial Integration, Retail Integration Bus, Oracle Retail Service Backbone, Oracle Real-Time Decision Server, MySQL Enterprise Monitor, Oracle Business Activity Monitoring",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": null,
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c Java-\u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0438 \u0434\u043b\u044f \u043f\u0440\u0435\u043e\u0431\u0440\u0430\u0437\u043e\u0432\u0430\u043d\u0438\u044f \u043e\u0431\u044a\u0435\u043a\u0442\u043e\u0432 \u0432 XML \u0438\u043b\u0438 JSON \u0444\u043e\u0440\u043c\u0430\u0442 XStream, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u0432\u043e\u0441\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435\u043c \u0432 \u043f\u0430\u043c\u044f\u0442\u0438 \u043d\u0435\u0434\u043e\u0441\u0442\u043e\u0432\u0435\u0440\u043d\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0435 \u043a\u043e\u043c\u0430\u043d\u0434\u044b",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u0412\u043e\u0441\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u0432 \u043f\u0430\u043c\u044f\u0442\u0438 \u043d\u0435\u0434\u043e\u0441\u0442\u043e\u0432\u0435\u0440\u043d\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445 (CWE-502)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c Java-\u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0438 \u0434\u043b\u044f \u043f\u0440\u0435\u043e\u0431\u0440\u0430\u0437\u043e\u0432\u0430\u043d\u0438\u044f \u043e\u0431\u044a\u0435\u043a\u0442\u043e\u0432 \u0432 XML \u0438\u043b\u0438 JSON \u0444\u043e\u0440\u043c\u0430\u0442 XStream \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u0432\u043e\u0441\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435\u043c \u0432 \u043f\u0430\u043c\u044f\u0442\u0438 \u043d\u0435\u0434\u043e\u0441\u0442\u043e\u0432\u0435\u0440\u043d\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e, \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0435 \u043a\u043e\u043c\u0430\u043d\u0434\u044b \u043f\u0443\u0442\u0435\u043c \u043e\u0442\u043c\u0435\u043d\u044b \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u043a\u0438 \u043e\u0431\u044a\u0435\u043a\u0442\u0430 XML \u0438\u043b\u0438 \u0434\u0440\u0443\u0433\u043e\u0433\u043e \u043f\u043e\u0434\u0434\u0435\u0440\u0436\u0438\u0432\u0430\u0435\u043c\u043e\u0433\u043e \u0444\u043e\u0440\u043c\u0430\u0442\u0430",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": "-",
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041c\u0430\u043d\u0438\u043f\u0443\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u0430\u043c\u0438 \u0434\u0430\u043d\u043d\u044b\u0445",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://access.redhat.com/security/cve/cve-2019-10173\n\nhttp://x-stream.github.io/changes.html#1.4.11\n\nhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10173\n\nhttps://www.cvedetails.com/cve/CVE-2019-10173/\nhttps://www.oracle.com/security-alerts/cpuapr2020.html\nhttps://www.oracle.com/security-alerts/cpuoct2020.html\nhttps://www.oracle.com/security-alerts/cpujan2021.html\nhttps://www.oracle.com/security-alerts/cpujan2021.html",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c, \u041f\u041e \u0441\u0435\u0442\u0435\u0432\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e-\u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-502",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 10)\n\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 9,8)"
}

CVE-2019-10173 (GCVE-0-2019-10173)

Vulnerability from cvelistv5 – Published: 2019-07-23 12:50 – Updated: 2024-08-04 22:10

Summary

It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)

Severity ?

7.3 (High)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE

CWE-94

Assigner

redhat

References

URL

Tags

	https://access.redhat.com/errata/RHSA-2019:3892	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2019:4352	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2020:0445	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2020:0727	vendor-advisoryx_refsource_REDHAT
	https://www.oracle.com/security-alerts/cpuapr2020.html	x_refsource_MISC
	https://www.oracle.com/security-alerts/cpuoct2020.html	x_refsource_MISC
	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2…	x_refsource_CONFIRM
	http://x-stream.github.io/changes.html#1.4.11	x_refsource_MISC
	https://www.oracle.com/security-alerts/cpujan2021.html	x_refsource_MISC
	https://www.oracle.com/security-alerts/cpuApr2021.html	x_refsource_MISC
	https://www.oracle.com//security-alerts/cpujul2021.html	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	xstream	xstream	Affected: fixed in 1.4.11

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T22:10:10.018Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2019:3892",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3892"
          },
          {
            "name": "RHSA-2019:4352",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:4352"
          },
          {
            "name": "RHSA-2020:0445",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0445"
          },
          {
            "name": "RHSA-2020:0727",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0727"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10173"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://x-stream.github.io/changes.html#1.4.11"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "xstream",
          "vendor": "xstream",
          "versions": [
            {
              "status": "affected",
              "version": "fixed in 1.4.11"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)"
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-07-20T22:53:25.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2019:3892",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3892"
        },
        {
          "name": "RHSA-2019:4352",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:4352"
        },
        {
          "name": "RHSA-2020:0445",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0445"
        },
        {
          "name": "RHSA-2020:0727",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0727"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10173"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://x-stream.github.io/changes.html#1.4.11"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2019-10173",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "xstream",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "fixed in 1.4.11"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "xstream"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)"
            }
          ]
        },
        "impact": {
          "cvss": [
            [
              {
                "vectorString": "7.3/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.0"
              }
            ]
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-94"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "RHSA-2019:3892",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:3892"
            },
            {
              "name": "RHSA-2019:4352",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:4352"
            },
            {
              "name": "RHSA-2020:0445",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0445"
            },
            {
              "name": "RHSA-2020:0727",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0727"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuapr2020.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuoct2020.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10173",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10173"
            },
            {
              "name": "http://x-stream.github.io/changes.html#1.4.11",
              "refsource": "MISC",
              "url": "http://x-stream.github.io/changes.html#1.4.11"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujan2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
            },
            {
              "name": "https://www.oracle.com//security-alerts/cpujul2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2019-10173",
    "datePublished": "2019-07-23T12:50:44.000Z",
    "dateReserved": "2019-03-27T00:00:00.000Z",
    "dateUpdated": "2024-08-04T22:10:10.018Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

BDU:2019-02936

CVE-2019-10173 (GCVE-0-2019-10173)

Tags

Sightings

Nomenclature