Critical severityNVD Advisory· Published Jul 23, 2019· Updated Aug 4, 2024
CVE-2019-10173
CVE-2019-10173
Description
It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.thoughtworks.xstream:xstreamMaven | >= 1.4.10, < 1.4.11 | 1.4.11 |
Affected products
4- osv-coords3 versionspkg:apk/chainguard/hadoop-fips-3.3.6pkg:apk/chainguard/hadoop-fips-3.4.2pkg:maven/com.thoughtworks.xstream/xstream
< 3.3.6-r21+ 2 more
- (no CPE)range: < 3.3.6-r21
- (no CPE)range: < 3.4.2-r0
- (no CPE)range: >= 1.4.10, < 1.4.11
- xstream/xstreamv5Range: fixed in 1.4.11
Patches
Vulnerability mechanics
References
13- access.redhat.com/errata/RHSA-2019:3892ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:4352ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2020:0445ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2020:0727ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-hf23-9pf7-388pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10173ghsaADVISORY
- x-stream.github.io/changes.htmlghsax_refsource_MISCWEB
- bugzilla.redhat.com/show_bug.cgighsax_refsource_CONFIRMWEB
- www.oracle.com//security-alerts/cpujul2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuApr2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuapr2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2020.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.