High severityNVD Advisory· Published Oct 10, 2013· Updated Apr 29, 2026
CVE-2013-4221
CVE-2013-4221
Description
The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources using the Java XMLDecoder, which allows remote attackers to execute arbitrary Java code via crafted XML.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.restlet.jse:org.restletMaven | < 2.1.4 | 2.1.4 |
Affected products
16cpe:2.3:a:restlet:restlet:*:*:*:*:*:*:*:*+ 15 more
- cpe:2.3:a:restlet:restlet:*:*:*:*:*:*:*:*range: <=2.1.3
- cpe:2.3:a:restlet:restlet:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:restlet:restlet:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:restlet:restlet:2.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:restlet:restlet:2.1:milestone1:*:*:*:*:*:*
- cpe:2.3:a:restlet:restlet:2.1:milestone2:*:*:*:*:*:*
- cpe:2.3:a:restlet:restlet:2.1:milestone3:*:*:*:*:*:*
- cpe:2.3:a:restlet:restlet:2.1:milestone4:*:*:*:*:*:*
- cpe:2.3:a:restlet:restlet:2.1:milestone5:*:*:*:*:*:*
- cpe:2.3:a:restlet:restlet:2.1:milestone6:*:*:*:*:*:*
- cpe:2.3:a:restlet:restlet:2.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:restlet:restlet:2.1:rc2:*:*:*:*:*:*
- cpe:2.3:a:restlet:restlet:2.1:rc3:*:*:*:*:*:*
- cpe:2.3:a:restlet:restlet:2.1:rc4:*:*:*:*:*:*
- cpe:2.3:a:restlet:restlet:2.1:rc5:*:*:*:*:*:*
- cpe:2.3:a:restlet:restlet:2.1:rc6:*:*:*:*:*:*
Patches
1b85c2ef182c6Fixed issue #774 - Removed default support of JavaBeans XML-serialization. Reported by David Jorm, Dinis Cruz, Abraham Kang and alavaro Munoz.
3 files changed · +47 −13
build/tmpl/text/changes.txt+2 −0 modified@@ -13,6 +13,8 @@ Changes log - Fixed issue #757 - Infinite Loop in Feed. - Fixed issue #753 - Date concurrency issue due to broken caching attempts. Reported by @effad. Solved by Robert Fischer and Tim Peierls. + - Fixed issue #774 - Removed default support of JavaBeans XML-serialization. + Reported by David Jorm, Dinis Cruz, Abraham Kang and alavaro Munoz. - Misc - Added log warning when an authentication scheme does not define a "realm" parameter. Reported by Loïc Oudot (#759).
modules/org.restlet/src/org/restlet/engine/converter/DefaultConverter.java+25 −12 modified@@ -78,6 +78,10 @@ public class DefaultConverter extends ConverterHelper { private static final VariantInfo VARIANT_OBJECT_XML = new VariantInfo( MediaType.APPLICATION_JAVA_OBJECT_XML); + /** Indicates whether the JavaBeans XML deserialization is supported or not. */ + private static final boolean VARIANT_OBJECT_XML_SUPPORTED = Boolean + .getBoolean("org.restlet.engine.converter.DefaultConverter.VARIANT_OBJECT_XML_SUPPORTED"); + @Override public List<Class<?>> getObjectClasses(Variant source) { List<Class<?>> result = null; @@ -90,7 +94,8 @@ public List<Class<?>> getObjectClasses(Variant source) { MediaType mediaType = source.getMediaType(); if (MediaType.APPLICATION_JAVA_OBJECT.equals(mediaType) - || MediaType.APPLICATION_JAVA_OBJECT_XML.equals(mediaType)) { + || (VARIANT_OBJECT_XML_SUPPORTED && MediaType.APPLICATION_JAVA_OBJECT_XML + .equals(mediaType))) { result = addObjectClass(result, Object.class); } else if (MediaType.APPLICATION_WWW_FORM.equals(mediaType)) { result = addObjectClass(result, Form.class); @@ -123,7 +128,9 @@ public List<VariantInfo> getVariants(Class<?> source) { result = addVariant(result, VARIANT_FORM); } else if (Serializable.class.isAssignableFrom(source)) { result = addVariant(result, VARIANT_OBJECT); - result = addVariant(result, VARIANT_OBJECT_XML); + if (VARIANT_OBJECT_XML_SUPPORTED) { + result = addVariant(result, VARIANT_OBJECT_XML); + } } } @@ -160,11 +167,13 @@ public float score(Object source, Variant target, Resource resource) { } else if (MediaType.APPLICATION_JAVA_OBJECT .isCompatible(target.getMediaType())) { result = 0.6F; - } else if (MediaType.APPLICATION_JAVA_OBJECT_XML.equals(target - .getMediaType())) { + } else if (VARIANT_OBJECT_XML_SUPPORTED + && MediaType.APPLICATION_JAVA_OBJECT_XML.equals(target + .getMediaType())) { result = 1.0F; - } else if (MediaType.APPLICATION_JAVA_OBJECT_XML - .isCompatible(target.getMediaType())) { + } else if (VARIANT_OBJECT_XML_SUPPORTED + && MediaType.APPLICATION_JAVA_OBJECT_XML + .isCompatible(target.getMediaType())) { result = 0.6F; } } else { @@ -216,11 +225,13 @@ public <T> float score(Representation source, Class<T> target, } else if (MediaType.APPLICATION_JAVA_OBJECT .isCompatible(source.getMediaType())) { result = 0.6F; - } else if (MediaType.APPLICATION_JAVA_OBJECT_XML.equals(source - .getMediaType())) { + } else if (VARIANT_OBJECT_XML_SUPPORTED + && MediaType.APPLICATION_JAVA_OBJECT_XML.equals(source + .getMediaType())) { result = 1.0F; - } else if (MediaType.APPLICATION_JAVA_OBJECT_XML - .isCompatible(source.getMediaType())) { + } else if (VARIANT_OBJECT_XML_SUPPORTED + && MediaType.APPLICATION_JAVA_OBJECT_XML + .isCompatible(source.getMediaType())) { result = 0.6F; } else { result = 0.5F; @@ -331,8 +342,10 @@ public <T> void updatePreferences(List<Preference<MediaType>> preferences, } else if (Serializable.class.isAssignableFrom(entity)) { updatePreferences(preferences, MediaType.APPLICATION_JAVA_OBJECT, 1.0F); - updatePreferences(preferences, - MediaType.APPLICATION_JAVA_OBJECT_XML, 1.0F); + if (VARIANT_OBJECT_XML_SUPPORTED) { + updatePreferences(preferences, + MediaType.APPLICATION_JAVA_OBJECT_XML, 1.0F); + } } else if (String.class.isAssignableFrom(entity) || Reader.class.isAssignableFrom(entity)) { updatePreferences(preferences, MediaType.TEXT_PLAIN, 1.0F);
modules/org.restlet/src/org/restlet/representation/ObjectRepresentation.java+20 −1 modified@@ -43,7 +43,26 @@ import org.restlet.data.MediaType; /** - * Representation based on a serializable Java object. + * Representation based on a serializable Java object.<br> + * It supports binary representations of JavaBeans using the + * {@link ObjectInputStream} and {@link ObjectOutputStream} classes. In this + * case, it handles representations having the following media type: + * {@link MediaType#APPLICATION_JAVA_OBJECT} + * ("application/x-java-serialized-object"). It also supports textual + * representations of JavaBeans using the {@link XMLEncoder} and + * {@link XMLDecoder} classes. In this case, it handles representations having + * the following media type: {@link MediaType#APPLICATION_JAVA_OBJECT_XML} + * ("application/x-java-serialized-object+xml"). + * + * SECURITY WARNING: The usage of {@link XMLDecoder} when deserializing XML + * presentations from unstrusted sources can lead to malicious attacks. As + * pointed <a href= + * "http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html" + * >here</a> , the {@link XMLDecoder} is able to force the JVM to execute + * unwanted Java code described inside the XML file. Thus, the support of such + * format has been disactivated by default inside the default converter. You can + * activate this support by turning on the following system property: + * org.restlet.engine.converter.DefaultConverter.VARIANT_OBJECT_XML_SUPPORTED. * * @author Jerome Louvel * @param <T>
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/restlet/restlet-framework-java/issues/774nvdIssue TrackingPatchWEB
- blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.htmlnvdThird Party AdvisoryWEB
- restlet.org/learn/2.1/changesnvdRelease NotesVendor AdvisoryWEB
- rhn.redhat.com/errata/RHSA-2013-1410.htmlnvdThird Party AdvisoryWEB
- rhn.redhat.com/errata/RHSA-2013-1862.htmlnvdThird Party AdvisoryWEB
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingThird Party AdvisoryWEB
- github.com/advisories/GHSA-92j2-5r7p-6hjwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2013-4221ghsaADVISORY
- github.com/restlet/restlet-framework-java/commit/b85c2ef182c69c5e2e21df008ccb249ccf80c7bghsaWEB
News mentions
0No linked articles in our index yet.