CVE-2019-10173
CRITICAL
9.8
CVSS Severity Score
Vulnerability Description
It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)
Affected Platforms (CPE)
📦
Xstream
Xstream
= 1.4.10📦
Oracle
Banking Platform
>= 2.4.0 and <= 2.10.0📦
Oracle
Banking Platform
= 2.4.0📦
Oracle
Banking Platform
= 2.7.1📦
Oracle
Banking Platform
= 2.9.0📦
Oracle
Business Activity Monitoring
= 11.1.1.9.0📦
Oracle
Business Activity Monitoring
= 12.2.1.3.0📦
Oracle
Business Activity Monitoring
= 12.2.1.4.0📦
Oracle
Communications Billing And Revenue Management Elastic Charging Engine
= 11.3.0.9.0📦
Oracle
Communications Billing And Revenue Management Elastic Charging Engine
= 12.0.0.3.0📦
Oracle
Communications Diameter Signaling Router
>= 8.0.0 and <= 8.2.2📦
Oracle
Communications Unified Inventory Management
= 7.3.0📦
Oracle
Communications Unified Inventory Management
= 7.4.0📦
Oracle
Endeca Information Discovery Studio
= 3.2.0📦
Oracle
Endeca Information Discovery Studio
= 3.2.0.0📦
Oracle
Retail Xstore Point Of Service
= 17.0📦
Oracle
Utilities Framework
>= 4.3.0.1.0 and <= 4.3.0.6.0📦
Oracle
Utilities Framework
= 2.2.0.0.0📦
Oracle
Utilities Framework
= 4.2.0.2.0📦
Oracle
Utilities Framework
= 4.2.0.3.0📦
Oracle
Utilities Framework
= 4.4.0.0.0📦
Oracle
Webcenter Portal
= 11.1.1.9.0📦
Oracle
Webcenter Portal
= 12.2.1.3.0📦
Oracle