Description

The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources, which allows remote attackers to execute arbitrary Java code via a serialized object, a different vulnerability than CVE-2013-4221.

Remediation

References

http://restlet.org/learn/2.1/changes

http://rhn.redhat.com/errata/RHSA-2013-1410.html

http://rhn.redhat.com/errata/RHSA-2013-1862.html

https://bugzilla.redhat.com/show_bug.cgi?id=999735

https://github.com/restlet/restlet-framework-java/issues/778

Related Vulnerabilities

CVE-2011-2730 Vulnerability in maven package org.springframework:spring-web

CVE-2022-21231 Vulnerability in npm package deep-get-set

CVE-2023-39151 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2023-30519 Vulnerability in maven package org.jenkins-ci.plugins:quayio-trigger

CVE-2023-2968 Vulnerability in npm package proxy

Severity

Critical

Classification

CWE-502

Tags

Vendor Advisory Third Party Advisory Issue Tracking Patch