Description

The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources, which allows remote attackers to execute arbitrary Java code via a serialized object, a different vulnerability than CVE-2013-4221.

Remediation

References

http://restlet.org/learn/2.1/changes

http://rhn.redhat.com/errata/RHSA-2013-1410.html

http://rhn.redhat.com/errata/RHSA-2013-1862.html

https://bugzilla.redhat.com/show_bug.cgi?id=999735

https://github.com/restlet/restlet-framework-java/issues/778

Related Vulnerabilities

CVE-2022-25852 Vulnerability in npm package pg-native

CVE-2021-44138 Vulnerability in maven package com.caucho:resin

CVE-2018-0114 Vulnerability in npm package node-jose

CVE-2022-36059 Vulnerability in npm package matrix-js-sdk

CVE-2023-28683 Vulnerability in maven package org.jenkins-ci.plugins:phabricator-plugin

Severity

Critical

Classification

CWE-502

Tags

Vendor Advisory Third Party Advisory Issue Tracking Patch