CVE-2013-4221

Restlet <2.1.4 - Code Injection

Title source: llm

Description

The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources using the Java XMLDecoder, which allows remote attackers to execute arbitrary Java code via crafted XML.

References (6)

[Third Party Advisory] http://rhn.redhat.com/errata/RHSA-2013-1862.html

[Release Notes, Vendor Advisory] http://restlet.org/learn/2.1/changes

[Third Party Advisory] http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html

[Issue Tracking, Third Party Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=995275

[Issue Tracking, Patch] https://github.com/restlet/restlet-framework-java/issues/774

[Third Party Advisory] http://rhn.redhat.com/errata/RHSA-2013-1410.html

Scores

EPSS 0.0211

EPSS Percentile 84.2%

Details

CWE

CWE-16 CWE-91

Status published

Products (6)

org.restlet.jse/org.restlet 0 - 2.1.4Maven

restlet/restlet 2.1 milestone1 (12 CPE variants)

restlet/restlet 2.1.0

restlet/restlet 2.1.1

restlet/restlet 2.1.2

restlet/restlet < 2.1.3

Published Oct 10, 2013

Tracked Since Feb 18, 2026