CVE-2013-4221: XML Injection (aka Blind XPath Injection)
(updated )
The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources using the Java XMLDecoder, which allows remote attackers to execute arbitrary Java code via crafted XML.
References
- blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
- restlet.org/learn/2.1/changes
- rhn.redhat.com/errata/RHSA-2013-1410.html
- rhn.redhat.com/errata/RHSA-2013-1862.html
- bugzilla.redhat.com/show_bug.cgi?id=995275
- github.com/advisories/GHSA-92j2-5r7p-6hjw
- github.com/restlet/restlet-framework-java/issues/774
- nvd.nist.gov/vuln/detail/CVE-2013-4221
Code Behaviors & Features
Detect and mitigate CVE-2013-4221 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →