Bugzilla – Bug 1142383
VUL-0: CVE-2019-10173: xstream: remote code execution due to insecure XML deserialization (regression)
Last modified: 2022-02-09 17:12:11 UTC
A vulnerability was found in xstream API version 1.4.10, if the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON. This a regression of CVE-2013-7285 fixed in 1.4.7 (fixed) as of BPMS 6.0.1, the regression was introduced with xstream-1.4.10 implemented in RHPAM.
SUSE Manager 3.2 and 4.0 are both EOL.
Security Team: please close this bug