CyberSec.Space Logo
Back to CVE Browser

CVE-2013-4221

HIGH
7.5
CVSS Severity Score
EPSS Score0.0090%
EPSS Percentile24.53th
PublishedOct 10, 2013
Last ModifiedApr 29, 2026

Vulnerability Description

The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources using the Java XMLDecoder, which allows remote attackers to execute arbitrary Java code via crafted XML.

Affected Platforms (CPE)

πŸ“¦
Restlet

Restlet

<= 2.1.3
πŸ“¦
Restlet

Restlet

= 2.1
πŸ“¦
Restlet

Restlet

= 2.1
πŸ“¦
Restlet

Restlet

= 2.1
πŸ“¦
Restlet

Restlet

= 2.1
πŸ“¦
Restlet

Restlet

= 2.1
πŸ“¦
Restlet

Restlet

= 2.1
πŸ“¦
Restlet

Restlet

= 2.1
πŸ“¦
Restlet

Restlet

= 2.1
πŸ“¦
Restlet

Restlet

= 2.1
πŸ“¦
Restlet

Restlet

= 2.1
πŸ“¦
Restlet

Restlet

= 2.1
πŸ“¦
Restlet

Restlet

= 2.1
πŸ“¦
Restlet

Restlet

= 2.1.0
πŸ“¦
Restlet

Restlet

= 2.1.1
πŸ“¦
Restlet

Restlet

= 2.1.2

References & Advisories

πŸ”— http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
πŸ”— http://restlet.org/learn/2.1/changes
πŸ”— http://rhn.redhat.com/errata/RHSA-2013-1410.html
πŸ”— http://rhn.redhat.com/errata/RHSA-2013-1862.html
πŸ”— https://bugzilla.redhat.com/show_bug.cgi?id=995275
πŸ”— https://github.com/restlet/restlet-framework-java/issues/774
πŸ”— http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
πŸ”— http://restlet.org/learn/2.1/changes

Related Vulnerabilities

CVE-2012-26567.5

An XML eXternal Entity (XXE) issue exists in Restlet 1.1.10 in an endpoint using XML transport, which lets a remote attacker obtai...

CVE-2013-42717.5

The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources, w...

CVE-2017-148687.5

Restlet Framework before 2.3.11, when using SimpleXMLProvider, allows remote attackers to access arbitrary files via an XXE attack...

CVE-2017-149497.5

Restlet Framework before 2.3.12 allows remote attackers to access arbitrary files via a crafted REST API HTTP request that conduct...