CVE-2013-7285: Command Injection

May 15, 2019 (updated July 18, 2019)

If the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.

References

blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
bugzilla.redhat.com/CVE-2013-7285
fisheye.codehaus.org/changelog/xstream?cs=2210

Detect and mitigate CVE-2013-7285 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →