First Last Prev Next    This bug is not in your last search results.
Bug 1142383 - (CVE-2019-10173) VUL-0: CVE-2019-10173: xstream: remote code execution due to insecure XML deserialization (regression)
(CVE-2019-10173)
VUL-0: CVE-2019-10173: xstream: remote code execution due to insecure XML des...
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/237807/
CVSSv3:SUSE:CVE-2019-10173:7.3:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-07-22 16:37 UTC by Wolfgang Frisch
Modified: 2022-02-09 17:12 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2019-07-22 16:37:00 UTC 
CVE-2019-10173

A vulnerability was found in xstream API version 1.4.10, if the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON. This a regression of CVE-2013-7285 fixed in 1.4.7 (fixed) as of BPMS 6.0.1, the regression was introduced with xstream-1.4.10 implemented in RHPAM.


References:
https://access.redhat.com/security/cve/cve-2013-7285

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1722971
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-10173
Comment 2 Michael Calmer 2022-02-09 15:59:45 UTC 
SUSE Manager 3.2 and 4.0 are both EOL.

Security Team: please close this bug
Comment 3 Wolfgang Frisch 2022-02-09 17:12:11 UTC 
Closing.
First Last Prev Next    This bug is not in your last search results.