N/A

CVSS Score

Basic Information

CVE ID

CVE-2013-2185

GHSA ID

GHSA-v6c7-8qx5-8gmp

EPSS Score

0.89025%

CWE

CWE-502

Published

5/17/2022

Updated

2/1/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2013-2185

CVE-2013-2185:
Deserialization of Untrusted Data in Apache Tomcat

The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186.

NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue. Regardless the tomcat maintainers have altered the behavior of this method in version 7.0.39.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2013-2185

GHSA ID

GHSA-v6c7-8qx5-8gmp

EPSS Score

0.89025%

CWE

CWE-502

Published

5/17/2022

Updated

2/1/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.tomcat:tomcat	maven	< 7.0.39	7.0.39

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description explicitly identifies the readObject method in DiskFileItem as the entry point. This method handles deserialization of file upload data but fails to properly sanitize NULL bytes in filenames during deserialization. This allows path traversal attacks by terminating filename validation checks early (via NULL byte injection). The dispute about responsibility doesn't change the technical reality that this method processes untrusted serialized data without adequate safeguards. The first patched version (7.0.39) confirms this was addressed in Tomcat's implementation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** r***O*j**t m*t*o* in t** *isk*il*It*m *l*ss in *p**** Tom**t *n* J*oss W**, *s us** in R** **t J*oss *nt*rpris* *ppli**tion Pl*t*orm *.*.* *n* R** **t J*oss Port*l *.*.*, *llows r*mot* *tt**k*rs to writ* to *r*itr*ry *il*s vi* * NULL *yt* in * *i

Reasoning

T** vuln*r**ility **s*ription *xpli*itly i**nti*i*s t** r***O*j**t m*t*o* in *isk*il*It*m *s t** *ntry point. T*is m*t*o* **n*l*s **s*ri*liz*tion o* *il* uplo** **t* *ut **ils to prop*rly s*nitiz* NULL *yt*s in *il*n*m*s *urin* **s*ri*liz*tion. T*is

N/A

Basic Information

Concerned about an active attack path?

CVE-2013-2185: Deserialization of Untrusted Data in Apache Tomcat

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2013-2185:
Deserialization of Untrusted Data in Apache Tomcat

Vulnerability Intelligence
Miggo AI