oss-sec mailing list archives
Re: CVE request: remote code execution via deserialization in XStream
From: David Jorm <djorm () redhat com>
Date: Fri, 10 Jan 2014 10:07:57 +1000
On 01/10/2014 09:46 AM, cve-assign () mitre org wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.htmlUse CVE-2013-7285. At least initially, the scope of this CVE is "XStream is an 'reflection-based XML-to-Object conversion'" in that file, and all of the implications of unrestricted conversion, including "allows the creation of server side objects based on reflection (which means that you could have all sorts of business-logic sensitive objects being created)" -- which is mentioned separately in that file. If this does not make sense, and multiple CVEs are needed, please let us know.- -- CVE assignment team, MITRE CVE Numbering AuthorityM/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJSzzPZAAoJEKllVAevmvms3cEH/3MBAH57R/LhQfI5ZMUm9FOD eZm7p9IGl3PpSMtrwqSNwXS6InpfAmc04P0xX/HM4yFSRX6yHVaTZA9vbNGRs6PV VdZg/A+WiUwdBdGhsFfXCb82QvCthdxyv6AAK5uNpVqQTqmikVPNk8gYxcHXZz3+ xUmUGLxwlCtImSZ1WiZMSCMYul3jsFsuOiVlqHF2NBoXh+55xmy8hLTOCUijILeG lAXfMo25S971OJalr5pzGUC2EPUclV5D08+jv3KCNqryNphsepa3+14OKrvvz1yX Q19c3+suDKWOUDvur9ENeHkf//Va881GNGZkcvppfvIkYCMI3vKFaWGMYRWR+jE= =Jkgd -----END PGP SIGNATURE-----
That makes sense, and I think a single CVE ID is all that is needed in this case.
Thanks David
Current thread:
- CVE request: remote code execution via deserialization in XStream David Jorm (Jan 09)
- Re: CVE request: remote code execution via deserialization in XStream cve-assign (Jan 09)
- Re: CVE request: remote code execution via deserialization in XStream David Jorm (Jan 09)
- Re: CVE request: remote code execution via deserialization in XStream cve-assign (Jan 09)