CVE-2019-10173

Summary

CVE	CVE-2019-10173
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2019-07-23 13:15:00 UTC
Updated	2022-10-05 20:38:00 UTC
Description	It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)

Risk And Classification

Problem Types: CWE-94

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Oracle	Banking Platform	2.4.0	All	All	All
Application	Oracle	Banking Platform	2.7.1	All	All	All
Application	Oracle	Banking Platform	2.9.0	All	All	All
Application	Oracle	Banking Platform	All	All	All	All
Application	Oracle	Business Activity Monitoring	11.1.1.9.0	All	All	All
Application	Oracle	Business Activity Monitoring	12.2.1.3.0	All	All	All
Application	Oracle	Business Activity Monitoring	12.2.1.4.0	All	All	All
Application	Oracle	Communications Billing And Revenue Management Elastic Charging Engine	11.3.0.9.0	All	All	All
Application	Oracle	Communications Billing And Revenue Management Elastic Charging Engine	12.0.0.3.0	All	All	All
Application	Oracle	Communications Diameter Signaling Router	All	All	All	All
Application	Oracle	Communications Unified Inventory Management	7.3.0	All	All	All
Application	Oracle	Communications Unified Inventory Management	7.4.0	All	All	All
Application	Oracle	Endeca Information Discovery Studio	3.2.0	All	All	All
Application	Oracle	Endeca Information Discovery Studio	3.2.0.0	All	All	All
Application	Oracle	Retail Xstore Point Of Service	17.0	All	All	All
Application	Oracle	Utilities Framework	2.2.0.0.0	All	All	All
Application	Oracle	Utilities Framework	4.2.0.2.0	All	All	All
Application	Oracle	Utilities Framework	4.2.0.3.0	All	All	All
Application	Oracle	Utilities Framework	4.4.0.0.0	All	All	All
Application	Oracle	Utilities Framework	All	All	All	All
Application	Oracle	Webcenter Portal	11.1.1.9.0	All	All	All
Application	Oracle	Webcenter Portal	12.2.1.3.0	All	All	All
Application	Oracle	Webcenter Portal	12.2.1.4.0	All	All	All
Application	Xstream Project	Xstream	1.4.10	All	All	All
Application	Xstream Project	Xstream	1.4.10	All	All	All

References

Reference	Source	Link	Tags
1722971 – (CVE-2019-10173) CVE-2019-10173 xstream: remote code execution due to insecure XML deserialization (regression of CVE-2013-7285)	CONFIRM	bugzilla.redhat.com	Issue Tracking, Third Party Advisory
Red Hat Customer Portal	REDHAT	access.redhat.com	Third Party Advisory
Oracle Critical Patch Update Advisory - October 2020	MISC	www.oracle.com	Third Party Advisory
Oracle Critical Patch Update Advisory - July 2021	N/A	www.oracle.com
Red Hat Customer Portal	REDHAT	access.redhat.com	Third Party Advisory
Red Hat Customer Portal	REDHAT	access.redhat.com	Third Party Advisory
Oracle Critical Patch Update Advisory - April 2020	N/A	www.oracle.com	Third Party Advisory
XStream - Change History	MISC	x-stream.github.io	Release Notes, Third Party Advisory
Oracle Critical Patch Update Advisory - April 2021	MISC	www.oracle.com
Oracle Critical Patch Update Advisory - January 2021	MISC	www.oracle.com	Third Party Advisory
Red Hat Customer Portal	REDHAT	access.redhat.com	Third Party Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

981972 Java (maven) Security Update for com.thoughtworks.xstream:xstream (GHSA-hf23-9pf7-388p)