oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE request: remote code execution due to XML deserialization in Restlet

From: David Jorm <djorm () redhat com>
Date: Thu, 8 Aug 2013 04:16:40 -0400 (EDT)
Dinis Cruz has published information on remote code execution due to XML deserialization in Restlet:

http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
https://github.com/o2platform/DefCon_RESTing

I have tested his reproducer and confirmed it works against Restlet 2.0 and 2.2. Please assign a CVE ID to this flaw.

Thanks
-- 
David Jorm / Red Hat Security Response Team
Previous By Date Next
Previous By Thread Next

Current thread: