CRITICAL🇵🇱 Wersja polska

CVE-2019-10173

CVSS 9.8v3.1pub. 2019-07-23upd. 2025-05-14

It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Oracle Banking Platform

    APP
    Oracle
    2.4.02.7.12.9.02.4.0 – 2.10.0
  • Oracle Business Activity Monitoring

    APP
    Oracle
    11.1.1.9.012.2.1.3.012.2.1.4.0
  • Oracle Communications Billing And Revenue Management Elastic Charging Engine

    APP
    Oracle
    11.3.0.9.012.0.0.3.0
  • Oracle Communications Diameter Signaling Router

    APP
    Oracle
    8.0.0 – 8.2.2
  • Oracle Communications Unified Inventory Management

    APP
    Oracle
    7.3.07.4.0
  • Oracle Endeca Information Discovery Studio

    APP
    Oracle
    3.2.03.2.0.0
  • Oracle Retail Xstore Point Of Service

    APP
    Oracle
    17.0
  • Oracle Utilities Framework

    APP
    Oracle
    2.2.0.0.04.2.0.2.04.2.0.3.04.4.0.0.04.3.0.1.0 – 4.3.0.6.0
  • Oracle Webcenter Portal

    APP
    Oracle
    11.1.1.9.012.2.1.3.012.2.1.4.0
  • Xstream

    APP
    Xstream
    1.4.10
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Deserialization
CWE
References

Related vulnerabilities

CVE-2022-22965CRITICAL9.8⚠ KEVten sam produkt

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) ...

CVE-2022-22963CRITICAL9.8⚠ KEVten sam produkt

In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionalit...

CVE-2020-2555CRITICAL9.8⚠ KEVten sam produkt

Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Caching,CacheStore,Invoc...

CVE-2017-9841CRITICAL9.8⚠ KEVten sam produkt

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbit...

CVE-2026-46765CRITICAL9.9ten sam produkt

Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Composer). Suppo...