CVE-2013-7285: Remote code execution due to insecure XML deserialization

May 15, 2019 (updated July 18, 2019)

This package would deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream application.

References

blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
bugzilla.redhat.com/CVE-2013-7285
fisheye.codehaus.org/changelog/xstream?cs=2210

Detect and mitigate CVE-2013-7285 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →