漏洞信息详情
XStream 操作系统操作系统命令注入漏洞
- CNNVD编号:CNNVD-201401-178
- 危害等级: 超危
- CVE编号: CVE-2013-7285
- 漏洞类型: 操作系统命令注入
- 发布时间: 2013-12-22
- 威胁类型: 远程
- 更新时间: 2022-04-27
- 厂 商:
- 漏洞来源: Dinis cruz
漏洞简介
XStream是Xstream团队的一个轻量级的、简单易用的开源Java类库,它主要用于将对象序列化成XML(jsON)或反序列化为对象。
XStream中存在操作系统命令注入漏洞。该漏洞源于外部输入数据构造可执行命令过程中,网络系统或产品未正确过滤其中的特殊元素。攻击者可利用该漏洞执行非法命令。
漏洞公告
目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
http://xstream.codehaus.org/
参考网址
来源:MLIST
链接:https://lists.apache.org/thread.HTML/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1@%3Cissues.activemq.apache.org%3E
来源:MLIST
链接:https://www.mail-archive.com/[email protected]/msg00607.HTML
来源:CONFIRM
链接:https://x-stream.github.io/CVE-2013-7285.HTML
来源:blog.diniscruz.com
链接:http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.HTML
来源:MISC
链接:http://web.archive.org/web/20140204133306/
来源:www.mail-archive.com
链接:https://www.mail-archive.com/[email protected]/msg00604.HTML
来源:seclists.org
链接:http://seclists.org/oss-sec/2014/q1/69
来源:MLIST
链接:https://lists.apache.org/thread.HTML/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369@%3Cissues.activemq.apache.org%3E
来源:MISC
链接:https://www.oracle.com/security-alerts/cpuoct2020.HTML
来源:access.redhat.com
链接:https://access.redhat.com/errata/RHSA-2019:3892
来源:www.ibm.com
链接:https://www.ibm.com/support/pages/node/887115
来源:www.ibm.com
链接:https://www.ibm.com/support/docview.wss?uid=ibm10967469
来源:www.ibm.com
链接:https://www.ibm.com/support/pages/node/1109925
来源:www.ibm.com
链接:http://www.ibm.com/support/docview.wss?uid=ibm10872142
来源:access.redhat.com
链接:https://access.redhat.com/errata/RHSA-2019:1823
来源:access.redhat.com
链接:https://access.redhat.com/errata/RHSA-2019:4352
来源:www.auscert.org.au
链接:https://www.auscert.org.au/bulletins/75922
来源:nvd.nist.gov
链接:https://nvd.nist.gov/vuln/detail/CVE-2013-7285
来源:www.ibm.com
链接:https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-identified-in-ibm-storediq/
来源:www.auscert.org.au
链接:https://www.auscert.org.au/bulletins/ESB-2019.2734/
来源:www.auscert.org.au
链接:https://www.auscert.org.au/bulletins/ESB-2019.4080/
来源:www.auscert.org.au
链接:https://www.auscert.org.au/bulletins/ESB-2019.4416/
来源:www.auscert.org.au
链接:https://www.auscert.org.au/bulletins/ESB-2019.4737/
来源:www.auscert.org.au
链接:https://www.auscert.org.au/bulletins/ESB-2020.0832/
来源:www-01.ibm.com
链接:https://www-01.ibm.com/support/docview.wss?uid=ibm10872142
来源:www.auscert.org.au
链接:https://www.auscert.org.au/bulletins/ESB-2020.4255/
来源:www.auscert.org.au
链接:https://www.auscert.org.au/bulletins/ESB-2019.3165/
来源:www.auscert.org.au
链接:https://www.auscert.org.au/bulletins/ESB-2019.4332/
受影响实体
暂无
补丁
- XStream 远程代码执行漏洞的修复措施
评论