Date: Fri, 10 Jan 2014 10:07:57 +1000 From: David Jorm <djorm@...hat.com> To: cve-assign@...re.org CC: oss-security@...ts.openwall.com Subject: Re: CVE request: remote code execution via deserialization in XStream On 01/10/2014 09:46 AM, cve-assign@...re.org wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > >> http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html > Use CVE-2013-7285. > > At least initially, the scope of this CVE is "XStream is an > 'reflection-based XML-to-Object conversion'" in that file, and all of > the implications of unrestricted conversion, including "allows the > creation of server side objects based on reflection (which means that > you could have all sorts of business-logic sensitive objects being > created)" -- which is mentioned separately in that file. > > If this does not make sense, and multiple CVEs are needed, please let > us know. > > - -- > CVE assignment team, MITRE CVE Numbering Authority > M/S M300 > 202 Burlington Road, Bedford, MA 01730 USA > [ PGP key available through http://cve.mitre.org/cve/request_id.html ] > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.14 (SunOS) > > iQEcBAEBAgAGBQJSzzPZAAoJEKllVAevmvms3cEH/3MBAH57R/LhQfI5ZMUm9FOD > eZm7p9IGl3PpSMtrwqSNwXS6InpfAmc04P0xX/HM4yFSRX6yHVaTZA9vbNGRs6PV > VdZg/A+WiUwdBdGhsFfXCb82QvCthdxyv6AAK5uNpVqQTqmikVPNk8gYxcHXZz3+ > xUmUGLxwlCtImSZ1WiZMSCMYul3jsFsuOiVlqHF2NBoXh+55xmy8hLTOCUijILeG > lAXfMo25S971OJalr5pzGUC2EPUclV5D08+jv3KCNqryNphsepa3+14OKrvvz1yX > Q19c3+suDKWOUDvur9ENeHkf//Va881GNGZkcvppfvIkYCMI3vKFaWGMYRWR+jE= > =Jkgd > -----END PGP SIGNATURE----- That makes sense, and I think a single CVE ID is all that is needed in this case. Thanks David
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ