CVE-2013-7285 — Vulnetix

Try Vulnetix Request Demo

CVE-2013-7285 PUBLISHED

Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.

EPSS 14.82% · 94.4th percentile

Risk Scores

EPSS Score

14.82%

94.4th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:14.04:LTS	libxstream-java	0, 1.4.4-1

Timeline

Jan 7, 2016 PoC Published
May 15, 2019 CVE Published
Feb 4, 2022 EPSS Score
Mar 30, 2023 EPSS Score
Jan 10, 2024 EPSS Score
Apr 23, 2024 EPSS Score
May 26, 2024 EPSS Score
Oct 5, 2024 EPSS Score
Mar 17, 2025 EPSS Score
Mar 19, 2025 EPSS Score
Mar 20, 2025 EPSS Score
Mar 24, 2025 EPSS Score

References

https://ubuntu.com/security/CVE-2013-7285 third-party-advisory
http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html third-party-advisory
http://markmail.org/message/kfqoqdfj5fnup5co?q=list:org.codehaus.xstream.dev&page=3 third-party-advisory
http://xstream.codehaus.org/security.html third-party-advisory
https://fisheye.codehaus.org/changelog/xstream?cs=2210 third-party-advisory
https://www.cve.org/CVERecord?id=CVE-2013-7285 third-party-advisory

Open in Interactive Console →