{"containers":{"cna":{"affected":[{"product":"xstream","vendor":"xstream","versions":[{"status":"affected","version":"fixed in 1.4.11"}]}],"descriptions":[{"lang":"en","value":"It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)"}],"metrics":[{"cvssV3_0":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":7.3,"baseSeverity":"HIGH","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","version":"3.0"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-94","description":"CWE-94","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2021-07-20T22:53:25.000Z","orgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","shortName":"redhat"},"references":[{"name":"RHSA-2019:3892","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2019:3892"},{"name":"RHSA-2019:4352","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2019:4352"},{"name":"RHSA-2020:0445","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2020:0445"},{"name":"RHSA-2020:0727","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2020:0727"},{"tags":["x_refsource_MISC"],"url":"https://www.oracle.com/security-alerts/cpuapr2020.html"},{"tags":["x_refsource_MISC"],"url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"tags":["x_refsource_CONFIRM"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10173"},{"tags":["x_refsource_MISC"],"url":"http://x-stream.github.io/changes.html#1.4.11"},{"tags":["x_refsource_MISC"],"url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"tags":["x_refsource_MISC"],"url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"tags":["x_refsource_MISC"],"url":"https://www.oracle.com//security-alerts/cpujul2021.html"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"secalert@redhat.com","ID":"CVE-2019-10173","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"xstream","version":{"version_data":[{"version_value":"fixed in 1.4.11"}]}}]},"vendor_name":"xstream"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)"}]},"impact":{"cvss":[[{"vectorString":"7.3/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","version":"3.0"}]]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-94"}]}]},"references":{"reference_data":[{"name":"RHSA-2019:3892","refsource":"REDHAT","url":"https://access.redhat.com/errata/RHSA-2019:3892"},{"name":"RHSA-2019:4352","refsource":"REDHAT","url":"https://access.redhat.com/errata/RHSA-2019:4352"},{"name":"RHSA-2020:0445","refsource":"REDHAT","url":"https://access.redhat.com/errata/RHSA-2020:0445"},{"name":"RHSA-2020:0727","refsource":"REDHAT","url":"https://access.redhat.com/errata/RHSA-2020:0727"},{"name":"https://www.oracle.com/security-alerts/cpuapr2020.html","refsource":"MISC","url":"https://www.oracle.com/security-alerts/cpuapr2020.html"},{"name":"https://www.oracle.com/security-alerts/cpuoct2020.html","refsource":"MISC","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"name":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10173","refsource":"CONFIRM","url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10173"},{"name":"http://x-stream.github.io/changes.html#1.4.11","refsource":"MISC","url":"http://x-stream.github.io/changes.html#1.4.11"},{"name":"https://www.oracle.com/security-alerts/cpujan2021.html","refsource":"MISC","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"name":"https://www.oracle.com/security-alerts/cpuApr2021.html","refsource":"MISC","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"name":"https://www.oracle.com//security-alerts/cpujul2021.html","refsource":"MISC","url":"https://www.oracle.com//security-alerts/cpujul2021.html"}]}}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-04T22:10:10.018Z"},"title":"CVE Program Container","references":[{"name":"RHSA-2019:3892","tags":["vendor-advisory","x_refsource_REDHAT","x_transferred"],"url":"https://access.redhat.com/errata/RHSA-2019:3892"},{"name":"RHSA-2019:4352","tags":["vendor-advisory","x_refsource_REDHAT","x_transferred"],"url":"https://access.redhat.com/errata/RHSA-2019:4352"},{"name":"RHSA-2020:0445","tags":["vendor-advisory","x_refsource_REDHAT","x_transferred"],"url":"https://access.redhat.com/errata/RHSA-2020:0445"},{"name":"RHSA-2020:0727","tags":["vendor-advisory","x_refsource_REDHAT","x_transferred"],"url":"https://access.redhat.com/errata/RHSA-2020:0727"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://www.oracle.com/security-alerts/cpuapr2020.html"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10173"},{"tags":["x_refsource_MISC","x_transferred"],"url":"http://x-stream.github.io/changes.html#1.4.11"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://www.oracle.com//security-alerts/cpujul2021.html"}]}]},"cveMetadata":{"assignerOrgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","assignerShortName":"redhat","cveId":"CVE-2019-10173","datePublished":"2019-07-23T12:50:44.000Z","dateReserved":"2019-03-27T00:00:00.000Z","dateUpdated":"2024-08-04T22:10:10.018Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"}