CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2016-3674 – XStream: enabled processing of external entities
https://notcve.org/view.php?id=CVE-2016-3674
Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document. Múltiples vulnerabilidades de entidad externa (XXE) en (1) Dom4JDriver, (2) DomDriver, (3) JDom Driver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver y (7) WstxDriver drivers en XStream en versiones anteriores a 1.4.9 permiten a atacantes remotos leer archivos arbitrarios a través de un documento XML manipulado. It was found that several XML parsers used by XStream had default settings that would expand entity references. A remote, unauthenticated attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. • http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183180.html http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183208.html http://rhn.redhat.com/errata/RHSA-2016-2822.html http://rhn.redhat.com/errata/RHSA-2016-2823.html http://www.debian.org/security/2016/dsa-3575 http://www.openwall.com/lists/oss-security/2016/03/25/8 http://www.openwall.com/lists/oss-security/2016/03/28/1 http://www.securityfocus.com/bid/85381 http://www.se • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 9.8EPSS: 40%CPEs: 2EXPL: 2CVE-2013-7285 – OpenMRS Reporting Module 0.9.7 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2013-7285
Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON. Xstream API versiones hasta la 1.4.6 y versión 1.4.10, Si la security framework no ha sido inicializada, estas vulnerabilidades podrían permitir que un atacante remoto ejecute comandos arbitrarios de shell mediante la manipulación de la secuencia de entrada procesada al desclasificar un XML o cualquier formato compatible. p.ej. JSON. It was found that XStream could deserialize arbitrary user-supplied XML content, representing objects of any type. • https://www.exploit-db.com/exploits/39193 http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html http://seclists.org/oss-sec/2014/q1/69 http://web.archive.org/web/20140204133306/http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1%40%3Cissues.activemq.apache.org%3E https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369%40%3Cissues.activemq.apache.org% • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •