It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HOracle Banking Platform
APPOracle2.4.02.7.12.9.02.4.0 – 2.10.0Oracle Business Activity Monitoring
APPOracle11.1.1.9.012.2.1.3.012.2.1.4.0Oracle Communications Billing And Revenue Management Elastic Charging Engine
APPOracle11.3.0.9.012.0.0.3.0Oracle Communications Diameter Signaling Router
APPOracle8.0.0 – 8.2.2Oracle Communications Unified Inventory Management
APPOracle7.3.07.4.0Oracle Endeca Information Discovery Studio
APPOracle3.2.03.2.0.0Oracle Retail Xstore Point Of Service
APPOracle17.0Oracle Utilities Framework
APPOracle2.2.0.0.04.2.0.2.04.2.0.3.04.4.0.0.04.3.0.1.0 – 4.3.0.6.0Oracle Webcenter Portal
APPOracle11.1.1.9.012.2.1.3.012.2.1.4.0Xstream
APPXstream1.4.10
Related vulnerabilities
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) ...
In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionalit...
Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Caching,CacheStore,Invoc...
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbit...
Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Composer). Suppo...