The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources using the Java XMLDecoder, which allows remote attackers to execute arbitrary Java code via crafted XML.
blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
restlet.org/learn/2.1/changes
rhn.redhat.com/errata/RHSA-2013-1410.html
rhn.redhat.com/errata/RHSA-2013-1862.html
bugzilla.redhat.com/show_bug.cgi?id=995275
github.com/restlet/restlet-framework-java
github.com/restlet/restlet-framework-java/commit/b85c2ef182c69c5e2e21df008ccb249ccf80c7b
github.com/restlet/restlet-framework-java/issues/774
nvd.nist.gov/vuln/detail/CVE-2013-4221