It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)

CPENameOperatorVersion
xstreameqXSTREAM_1_4_9
xstreameqXSTREAM_1_4_5
xstreameqXSTREAM_1_4_10

Name	Operator	Version
xstream	eq	XSTREAM_1_4_9
xstream	eq	XSTREAM_1_4_5
xstream	eq	XSTREAM_1_4_10

References

x-stream.github.io/changes.html#1.4.11

access.redhat.com/errata/RHSA-2019:3892

access.redhat.com/errata/RHSA-2019:4352

access.redhat.com/errata/RHSA-2020:0445

access.redhat.com/errata/RHSA-2020:0727

bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10173

www.oracle.com//security-alerts/cpujul2021.html

www.oracle.com/security-alerts/cpuapr2020.html

www.oracle.com/security-alerts/cpuApr2021.html

www.oracle.com/security-alerts/cpujan2021.html

www.oracle.com/security-alerts/cpuoct2020.html

osv 5

redhatcve 3

ibm 9

myhack58 1

github 5

cve 2

cvelist 2

ubuntucve 2

nvd 2

prion 2

veracode 1

debiancve 2

gentoo 1

openvas 8

mageia 1

nuclei 1

exploitpack 1

nessus 10

fedora 2

zdt 1

redhat 18

packetstorm 1

symantec 1

checkpoint_advisories 1

exploitdb 1

freebsd 1

oracle 5

osv

Deserialization of Untrusted Data and Code Injection in xstream

2019-07-26 16:09:47

Command Injection in Xstream

2019-05-29 18:05:03

XStream vulnerable to an Arbitrary File Deletion on the local host when unmarshalling

2020-12-21 16:28:26

redhatcve

CVE-2019-10173

2019-07-22 14:36:13

CVE-2020-26259

2020-12-17 20:48:46

CVE-2020-26258

2020-12-17 20:48:37

ibm

Security Bulletin: XStream as used by IBM QRadar SIEM is vulnerable to OS command injection (CVE-2019-10173)

2019-11-20 17:14:22

Security Bulletin: Multiple vulnerabilities in Xstream affect IBM InfoSphere Information Server

2019-11-01 20:48:15

Security Bulletin: CVE-2019-10173CVE-2019-10173 xstream API If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands

2020-11-18 20:31:41

myhack58

Xstream remote code execution vulnerability-vulnerability warning-the black bar safety net

2019-07-25 00:00:00

github

Deserialization of Untrusted Data and Code Injection in xstream

2019-07-26 16:09:47

Command Injection in Xstream

2019-05-29 18:05:03

XStream can be used for Remote Code Execution

2020-11-16 20:07:59

cve

CVE-2019-10173

2019-07-23 13:15:13

CVE-2013-7285

2019-05-15 17:29:00

cvelist

CVE-2019-10173

2019-07-23 12:50:44

CVE-2013-7285

2019-05-15 16:54:57

ubuntucve

CVE-2019-10173

2019-07-23 00:00:00

CVE-2013-7285

2019-05-15 00:00:00

nvd

CVE-2019-10173

2019-07-23 13:15:13

CVE-2013-7285

2019-05-15 17:29:00

prion

Deserialization of untrusted data

2019-07-23 13:15:00

Design/Logic Flaw

2019-05-15 17:29:00

veracode

Remote Code Execution (RCE)

2019-07-23 05:16:12

debiancve

CVE-2019-10173

2019-07-23 13:15:13

CVE-2013-7285

2019-05-15 17:29:00

gentoo

XStream: Remote execution of arbitrary code

2016-12-13 00:00:00

openvas

Fedora Update for xstream FEDORA-2014-2372

2014-02-25 00:00:00

Fedora Update for xstream FEDORA-2014-2340

2014-02-25 00:00:00

Fedora Update for xstream FEDORA-2014-2340

2014-02-25 00:00:00

mageia

Updated xstream packages fix CVE-2013-7285

2014-02-26 01:54:53

nuclei

XStream <1.4.6/1.4.10 - Remote Code Execution

2023-03-12 03:38:05

exploitpack

OpenMRS Reporting Module 0.9.7 - Remote Code Execution

2016-01-07 00:00:00

nessus

Fedora 20 : xstream-1.3.1-9.fc20 (2014-2372)

2014-02-23 00:00:00

GLSA-201612-35 : XStream: Remote execution of arbitrary code

2016-12-13 00:00:00

Artifactory < 3.1.1.1 XStream Remote Code Execution

2014-03-12 00:00:00

fedora

[SECURITY] Fedora 19 Update: xstream-1.3.1-5.1.fc19

2014-02-22 00:56:20

[SECURITY] Fedora 20 Update: xstream-1.3.1-9.fc20

2014-02-22 00:47:06

zdt

OpenMRS Reporting Module 0.9.7 - Remote Code Execution

2016-01-07 00:00:00

redhat

(RHSA-2014:0389) Important: jasperreports-server-pro security update

2014-04-09 00:00:00

(RHSA-2014:0294) Important: XStream security update

2014-03-13 19:11:29

(RHSA-2014:0216) Important: XStream security update

2014-02-26 20:31:01

packetstorm

OpenMRS Reporting Module 0.9.7 Remote Code Execution

2016-01-06 00:00:00

symantec

XStream API CVE-2019-10173 Deserialization Remote Code Execution Vulnerability

2019-07-23 00:00:00

checkpoint_advisories

XStream Library Insecure Deserialization (CVE-2019-10173)

2020-02-26 00:00:00

exploitdb

OpenMRS Reporting Module 0.9.7 - Remote Code Execution

2016-01-07 00:00:00

freebsd

jenkins -- multiple vulnerabilities

2014-02-14 00:00:00

oracle

Oracle Critical Patch Update Advisory - October 2020

2020-10-20 00:00:00

Oracle Critical Patch Update Advisory - January 2021

2021-01-19 00:00:00

Oracle Critical Patch Update Advisory - July 2021

2021-07-20 00:00:00

Solutions

Vulnerabilities intelligence
Perimeter control tool
Linux scanner
Windows scanner
Developers SDK
Security Intelligence feeds

Database

Vulnerabilities
Exploits
Security News
BugBounty
Wild Exploited
Top Vulnerabilities
CVE Feed

Resources

Statics & Sources
Plugins
API docs
FAQ
Blog
Glossary

Company

About
Contacts
Pricing
EULA
Privacy Policy
Submission Policy
OpenSource

@2024 Vulners Inc

7.3 High

AI Score

Confidence

Low

0.942 High

EPSS

Percentile

99.2%

JSON

Related for OSV:CVE-2019-10173